{"result": {"cve": [{"id": "CVE-2013-0422", "type": "cve", "title": "CVE-2013-0422", "description": "Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using the public getMBeanInstantiator method in the JmxMBeanServer class to obtain a reference to a private MBeanInstantiator object, then retrieving arbitrary Class references using the findClass method, and (2) using the Reflection API with recursion in a way that bypasses a security check by the java.lang.invoke.MethodHandles.Lookup.checkSecurityManager method due to the inability of the sun.reflect.Reflection.getCallerClass method to skip frames related to the new reflection API, as exploited in the wild in January 2013, as demonstrated by Blackhole and Nuclear Pack, and a different vulnerability than CVE-2012-4681 and CVE-2012-3174. NOTE: some parties have mapped the recursive Reflection API issue to CVE-2012-3174, but CVE-2012-3174 is for a different vulnerability whose details are not public as of 20130114. CVE-2013-0422 covers both the JMX/MBean and Reflection API issues. NOTE: it was originally reported that Java 6 was also vulnerable, but the reporter has retracted this claim, stating that Java 6 is not exploitable because the relevant code is called in a way that does not bypass security checks. NOTE: as of 20130114, a reliable third party has claimed that the findClass/MBeanInstantiator vector was not fixed in Oracle Java 7 Update 11. If there is still a vulnerable condition, then a separate CVE identifier might be created for the unfixed issue.", "published": "2013-01-10T16:55:00", "cvss": {"score": 10, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0422", "cvelist": ["CVE-2013-0422"], "lastseen": "2016-09-03T17:54:21"}], "symantec": [{"id": "SMNTC-57246", "type": "symantec", "title": "Oracle Java Runtime Environment CVE-2013-0422 Multiple Remote Code Execution Vulnerabilities", "description": "### Description\n\nOracle Java Runtime Environment is prone to multiple remote code execution vulnerabilities. An attacker can exploit these issues to execute arbitrary code in the context of the application. Versions prior to Oracle JRE 1.7.0 Update 11 are vulnerable. \n\n### Technologies Affected\n\n * CentOS CentOS 5\n * Fedoraproject Fedora 16\n * Fedoraproject Fedora 17\n * Fedoraproject Fedora 18\n * Gentoo Linux\n * IBM Java SDK 7 SR1\n * IBM Java SDK 7 SR2\n * IBM Java SDK 7 SR3\n * IBM Java SE 7 SR1\n * IBM Java SE 7 SR2\n * IBM Maximo Asset Management 6.2\n * IBM Maximo Asset Management 7.1\n * IBM Maximo Asset Management 7.5\n * IBM Maximo Asset Management Essentials 7.1\n * IBM Maximo Asset Management Essentials 7.5\n * IBM Tivoli Endpoint Manager for Remote Control 9.0.0\n * IBM Tivoli System Automation for Integrated Operations Management 2.1\n * Mandriva Business Server 1\n * Mandriva Business Server 1 X86 64\n * Oracle Enterprise Linux 6\n * Oracle Enterprise Linux 6.2\n * Oracle JDK (Linux Production Release) 1.7.0\n * Oracle JDK (Linux Production Release) 1.7.0_2\n * Oracle JDK (Linux Production Release) 1.7.0_4\n * Oracle JDK (Linux Production Release) 1.7.0_7\n * Oracle JDK (Solaris Production Release) 1.7.0\n * Oracle JDK (Solaris Production Release) 1.7.0_10\n * Oracle JDK (Solaris Production Release) 1.7.0_2\n * Oracle JDK (Solaris Production Release) 1.7.0_4\n * Oracle JDK (Solaris Production Release) 1.7.0_7\n * Oracle JDK (Windows Production Release) 1.7.0\n * Oracle JDK (Windows Production Release) 1.7.0_2\n * Oracle JDK (Windows Production Release) 1.7.0_4\n * Oracle JDK (Windows Production Release) 1.7.0_7\n * Oracle JRE 1.7.0 Update 10\n * Oracle JRE 1.7.0 Update 4\n * Oracle JRE 1.7.0 Update 6\n * Oracle JRE 1.7.0 Update 7\n * Oracle JRE 1.7.0 Update 9\n * Redhat Enterprise Linux 5 Server\n * Redhat Enterprise Linux Desktop 5 Client\n * Redhat Enterprise Linux Desktop 6\n * Redhat Enterprise Linux Desktop Optional 6\n * Redhat Enterprise Linux Desktop Supplementary 5 Client\n * Redhat Enterprise Linux Desktop Supplementary 6\n * Redhat Enterprise Linux HPC Node 6\n * Redhat Enterprise Linux HPC Node Optional 6\n * Redhat Enterprise Linux HPC Node Supplementary 6\n * Redhat Enterprise Linux Server 6\n * Redhat Enterprise Linux Server Optional 6\n * Redhat Enterprise Linux Server Supplementary 6\n * Redhat Enterprise Linux Supplementary 5 Server\n * Redhat Enterprise Linux Workstation 6\n * Redhat Enterprise Linux Workstation Optional 6\n * Redhat Enterprise Linux Workstation Supplementary 6\n * SuSE Linux Enterprise Software Development Kit 11 SP2\n * SuSE SUSE Linux Enterprise Java 11 SP2\n * SuSE SUSE Linux Enterprise Server 11 SP2\n * SuSE SUSE Linux Enterprise Server for VMware 11 SP2\n * SuSE openSUSE 12.2\n * Ubuntu Ubuntu Linux 12.10\n\n### Recommendations\n\n#### Block external access at the network boundary, unless external parties require service.\n\nFilter access to the affected computer at the network boundary if global access isn't needed. Restricting access to only trusted computers and networks might greatly reduce the likelihood of a successful exploit.\n\n#### Deploy network intrusion detection systems to monitor network traffic for malicious activity.\n\nDeploy NIDS to monitor network traffic for signs of anomalous or suspicious activity including unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from successful exploits.\n\n#### Do not follow links provided by unknown or untrusted sources.\n\nWeb users should be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users.\n\n#### Set web browser security to disable the execution of script code or active content.\n\nDisabling the execution of script code in the browser may limit exposure to this and other latent vulnerabilities.\n\n#### Run all software as a nonprivileged user with minimal access rights.\n\nTo limit the impact of latent vulnerabilities, configure applications to run as a nonadministrative user with minimal access rights. \n\nUpdates are available. Please see the references for more information. \n", "published": "2013-01-10T00:00:00", "cvss": {"score": 10, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.symantec.com/security_response/vulnerability.jsp?bid=57246", "cvelist": ["CVE-2013-0422"], "lastseen": "2016-09-04T11:41:26"}], "cert": [{"id": "VU:625617", "type": "cert", "title": "Java 7 fails to restrict access to privileged code", "description": "### Overview\n\nJava 7 Update 10 and earlier versions of Java 7 contain a vulnerability that can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.\n\n### Description\n\nThe Oracle Java Runtime Environment (JRE) 1.7 allows users to run Java applications in a browser or as standalone programs. Oracle has made the JRE available for multiple operating systems. OpenJDK is an open-source implementation of the Java platform, and the IcedTea project aims to make it easier to deploy OpenJDK, including a web browser plugin. \n\nThe Java JRE plug-in provides its own [Security Manager](<http://docs.oracle.com/javase/7/docs/api/java/lang/System.html#setSecurityManager%28java.lang.SecurityManager%29>). Typically, a web applet runs with a security manager provided by the browser or Java Web Start plugin. Oracle's document [states](<http://docs.oracle.com/javase/1.5.0/docs/api/java/lang/System.html#setSecurityManager%28java.lang.SecurityManager%29>), _\"If there is a security manager already installed, this method first calls the security manager's _`_checkPermission_`_ method with a _`_RuntimePermission(\"setSecurityManager\")_`_ permission to ensure it's safe to replace the existing security manager. This may result in throwing a _`_SecurityException\"_`_._ \n \nBy leveraging the a vulnerability in the [Java Management Extensions](<http://docs.oracle.com/javase/tutorial/jmx/index.html>) (JMX) [MBean](<http://docs.oracle.com/javase/tutorial/jmx/mbeans/index.html>) components, unprivileged Java code can access restricted classes. By using that vulnerability in conjunction with a second vulnerability involving recursive use of the Reflection API via the [invokeWithArguments](<http://docs.oracle.com/javase/7/docs/api/java/lang/invoke/MethodHandle.html#invokeWithArguments%28java.util.List%29>) method of the [MethodHandle](<http://docs.oracle.com/javase/7/docs/api/java/lang/invoke/MethodHandle.html>) class, an untrusted Java applet can escalate its privileges by calling the the [setSecurityManager()](<http://docs.oracle.com/javase/1.5.0/docs/api/java/lang/System.html#setSecurityManager%28java.lang.SecurityManager%29>) function to allow full privileges, without requiring code signing. Oracle Java 7 update 10 and earlier Java 7 versions are affected. OpenJDK 7, and subsequently [IcedTea](<http://permalink.gmane.org/gmane.comp.java.openjdk.distro-packaging.devel/21381>), are also [affected](<https://bugzilla.redhat.com/show_bug.cgi?id=894172>). The invokeWithArguments method was introduced with Java 7, so therefore Java 6 is not affected. \n \nThis vulnerability is being attacked in the wild, and is reported to be incorporated into exploit kits. Exploit code for this vulnerability is also publicly available. We have confirmed that Oracle Java 7 installed on Windows, OS X, and Linux platforms are affected. Other platforms that use Oracle Java 7 may also be affected. \n \n--- \n \n### Impact\n\nBy convincing a user to visit a specially crafted HTML document, a remote attacker may be able to execute arbitrary code on a vulnerable system. Note that applications that use the Internet Explorer web content rendering components, such as Microsoft Office or Windows Desktop Search, may also be used as an attack vector for this vulnerability. \n \n--- \n \n### Solution\n\n**Apply an update** \n \n[Oracle Security Alert CVE-2013-0422](<http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html>) states that [Java 7 Update 11](<http://www.oracle.com/technetwork/java/javase/7u11-relnotes-1896856.html>) addresses this (CVE-2013-0422) and an equally severe, but distinct vulnerability (CVE-2012-3174). Immunity [has indicated](<http://immunityproducts.blogspot.ca/2013/01/confirmed-java-only-fixed-one-of-two.html>) that only the reflection vulnerability has been fixed and that the JMX MBean vulnerability remains. Java 7u11 sets the default Java security settings to \"High\" so that users will be prompted before running unsigned or self-signed Java applets. \n \nUnless it is absolutely necessary to run Java in web browsers, disable it as described below, even after updating to 7u11. This will help mitigate other Java vulnerabilities that may be discovered in the future. \n \nThis issue has also been addressed in [IcedTea versions 2.1.4, 2.2.4, and 2.3.4](<http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-January/021413.html>). \n \n--- \n \n**Disable Java in web browsers**\n\nStarting with Java 7 Update 10, it is possible to [disable Java content in web browsers](<http://www.java.com/en/download/help/disable_browser.xml>) through the Java control panel applet. Please see the [Java documentation](<http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/client-security.html#disable>) for more details. \n \n**Note**: Due to what appears to potentially be a bug in the Java installer, the Java Control Panel applet may be missing on some Windows systems. In such cases, the Java Control Panel applet may be launched by finding and executing `javacpl.exe` manually. This file is likely to be found in `C:\\Program Files\\Java\\jre7\\bin` or `C:\\Program Files (x86)\\Java\\jre7\\bin`. \n \n**Also note** that we have encountered situations on Windows where Java will crash if it has been disabled in the web browser as described above and then subsequently re-enabled. Depending on the browser used, this [Michael Horowitz has pointed out](<http://blogs.computerworld.com/cybercrime-and-hacking/21664/understanding-new-security-java-7-update-11>) that performing the same steps on Windows 7 will result in unsigned Java applets executing without prompting in Internet Explorer, despite what the \"Security Level\" slider in the Java Control panel applet is configured to use. We have confirmed this behavior with Internet Explorer on both Windows 7 and Vista. Reinstalling Java appears to correct both of these situations. \n \nSystem administrators wishing to deploy Java 7 Update 10 or later with the \"Enable Java content in the browser\" feature disabled can invoke the Java installer with the `WEB_JAVA=0` command-line option. More details are available in the [Java documentation](<http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/client-security.html#install>). \n \nAlternatively, Microsoft has released a [Fix it](<http://blogs.technet.com/b/srd/archive/2013/05/29/java-when-you-cannot-let-go.aspx>) that disables Java in the Internet Explorer web browser. \n \n**Restrict access to Java applets** \n \nNetwork administrators unable to disable Java in web browsers may be able to help mitigate this and other Java vulnerabilities by restricting access to Java applets. This may be accomplished by using proxy server rules, for example. Blocking or whitelisting web requests to `.jar` and `.class` files can help to prevent Java from being used by untrusted sources. Filtering requests that contain a Java User-Agent header may also be effective. For example, this technique can be used in environments where Java is required on the local intranet. The proxy can be configured to allow Java requests locally, but block them when the destination is a site on the internet. \n \n--- \n \n### Vendor Information \n\nVendor| Status| Date Notified| Date Updated \n---|---|---|--- \nIcedTea| | -| 16 Jan 2013 \nOpenJDK| | -| 14 Jan 2013 \nOracle Corporation| | 11 Jan 2013| 13 Jan 2013 \nRed Hat, Inc.| | -| 17 Jan 2013 \nSun Microsystems, Inc.| | 11 Jan 2013| 12 Jan 2013 \nIBM Corporation| | 14 Jan 2013| 14 Jan 2013 \nIf you are a vendor and your product is affected, [let us know](<mailto:cert@cert.org?Subject=VU%23625617 Vendor Status Inquiry>).\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | 10.0 | AV:N/AC:L/Au:N/C:C/I:C/A:C \nTemporal | 9.5 | E:H/RL:W/RC:C \nEnvironmental | 9.5 | CDP:ND/TD:H/CR:ND/IR:ND/AR:ND \n \n### References\n\n * <https://krebsonsecurity.com/2013/01/what-you-need-to-know-about-the-java-exploit/>\n * <http://malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.html>\n * <http://labs.alienvault.com/labs/index.php/2013/new-year-new-java-zeroday/>\n * <http://seclists.org/bugtraq/2013/Jan/48>\n * <http://seclists.org/fulldisclosure/2013/Jan/77>\n * <http://www.security-explorations.com/materials/SE-2012-01-ORACLE-5.pdf>\n * <http://docs.oracle.com/javase/7/docs/api/java/lang/invoke/MethodHandle.html#invokeWithArguments%28java.util.List%29>\n * <http://www.java.com/en/download/help/disable_browser.xml>\n * <https://partners.immunityinc.com/idocs/Java%20MBeanInstantiator.findClass%200day%20Analysis.pdf>\n * <https://blogs.oracle.com/security/entry/security_alert_for_cve_2013>\n * <http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html>\n * <http://www.oracle.com/technetwork/java/javase/7u11-relnotes-1896856.html>\n * <https://bugzilla.redhat.com/show_bug.cgi?id=894172>\n * <https://partners.immunityinc.com/idocs/Java%20MBeanInstantiator.findClass%200day%20Analysis.pdf>\n * <http://immunityproducts.blogspot.ca/2013/01/confirmed-java-only-fixed-one-of-two.html>\n * <https://www-304.ibm.com/connections/blogs/PSIRT/entry/oracle_java_7_security_manager_bypass_vulnerability_cve_2013_04224>\n * <http://permalink.gmane.org/gmane.comp.java.openjdk.distro-packaging.devel/21381>\n * <http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-January/021413.html>\n * <http://blogs.computerworld.com/cybercrime-and-hacking/21664/understanding-new-security-java-7-update-11>\n * <http://codeascraft.etsy.com/2013/03/18/java-not-even-once/>\n\n### Credit\n\nThanks to Kafeine for reporting this vulnerability.\n\nThis document was written by Will Dormann.\n\n### Other Information\n\n * CVE IDs: [CVE-2013-0422](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0422>)\n * US-CERT Alert: [TA13-010A](<http://www.us-cert.gov/cas/techalerts/TA13-010A.html>)\n * Date Public: 10 Jan 2013\n * Date First Published: 10 Jan 2013\n * Date Last Updated: 12 Jun 2013\n * Document Revision: 142\n\n", "published": "2013-01-10T00:00:00", "cvss": {"score": 10, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.kb.cert.org/vuls/id/625617", "cvelist": ["CVE-2012-3174", "CVE-2013-0422", "CVE-2013-0422", "CVE-2013-0422", "CVE-2013-0422"], "lastseen": "2016-02-03T09:12:34"}], "thn": [{"id": "THN:E1C190CB80D323C2864EFE162CFFB46F", "type": "thn", "title": "ICEPOL Ransomware Servers seized by Romanian Police that infected 260,000 Computers", "description": "[![ICEPOL Reveton Ransomware Trojan](http://3.bp.blogspot.com/-goylQ_crASs/UuoeOzUewsI/AAAAAAAAASk/xLNzzDSmUHQ/s728/ICEPOL+Reveton+Ransomware+Trojan.jpg)](<http://3.bp.blogspot.com/-goylQ_crASs/UuoeOzUewsI/AAAAAAAAASk/xLNzzDSmUHQ/s1600/ICEPOL+Reveton+Ransomware+Trojan.jpg>)\n\nAfter Financial and Banking Malwares, Ransomware has become the first choice of money motivated cybercriminals.\n\n \n\n\nA new Ransomware Trojan known as **ICEPOL** has been one of those widespread malware which has been successfully installed approximately 267,786 times worldwide and 42,400 in the USA alone over a five month period, analyzed by the security firm [_BitDefender_](<http://www.presseportal.de/pm/52715/2651614/gemeinsame-aktion-mit-der-rumaenischen-polizei-bitdefender-hat-icepol-trojaner-untersucht>).\n\n \n\n\nThe** **ICEPOL Trojan** **categorized as Ransomware that locks your PC and demand for a ransom amount to unlock it. The Malware was using a previously known vulnerability in Java software i.e. [_CVE-2013-0422_](<http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html>) to infect the systems.\n\n \n\n\nThe malware threatened the user with accusations of illegal piracy or '_porn-related activity_' and requires money for exemption from punishment that pretends to be from the 'police'.\n\n \n\n\n\u201c_The ICEPOL Trojan extorted victims who downloaded it by sending them a message in any one of 25 languages purporting to be from police accusing them of downloading copyrighted material or illegal porn_,\u201d said Catalin Cosoi, Chief Security Strategist from Bitdefender.\n\n \n\n\nThe [malware](<http://thehackernews.com/search/label/Malware>) includes one more money making scheme, i.e. Designed to redirect the victims to the website via _pay-per-click_ scam under the traffic exchange mechanism. The police estimated that more than $32,000 was stolen from the U.S. victims over the five-month period.\n\n \n\n\nThe Romanian police in cooperation with the Internet security firm Bitdefender found dozens of C&amp;C servers and successfully seized one of the major C&amp;C servers, which was the part of large distribution of ICEPOL Trojans, located in the Romanian capital Bucharest.\n\n \n\n\n\u201c_The results of the investigation of ICEPOL Trojan based on cooperation with various law enforcement agencies and third party vendors. Despite the complex investigations, we have so far achieved very good results and we will continue to fight cybercrime_\", says the head of the agency against cyber crime, the Romanian National Police.\n\n \n\n\nThis is not the first time when a ransomware tricked the victims successfully, also last year [cryptolocker](<http://thehackernews.com/search/label/CryptoLocker>) of the same category hits millions of computer users. So, users are advised to keep their systems software and anti-virus solutions up-to-date and most importantly patch your Java distribution immediately to _Update 51_.\n\n \n\n\nStay Safe! Stay Tuned!\n", "published": "2014-01-29T22:48:00", "cvss": {"score": 10, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://thehackernews.com/2014/01/icepol-ransomware-servers-seized-by.html", "cvelist": ["CVE-2013-0422"], "lastseen": "2017-01-08T18:01:09"}, {"id": "THN:B322DFBE39D6B1984ECCA4237D6EB6EB", "type": "thn", "title": "Oracle Patches Java Zero Day Vulnerability", "description": "[![](http://2.bp.blogspot.com/-hmHfgVixQNI/UPbcy1J22jI/AAAAAAAAR4M/oWTQ6wJAx4E/s640/Oracle+Patches+Java+Zero+Day+Vulnerability.jpg)](<http://2.bp.blogspot.com/-hmHfgVixQNI/UPbcy1J22jI/AAAAAAAAR4M/oWTQ6wJAx4E/s1600/Oracle+Patches+Java+Zero+Day+Vulnerability.jpg>)\n\nOracle delivered an unusual emergency patch to Java's critical Zero Day vulnerability on Sunday to fix a malicious bug that allowed hackers access to users web browsers. Exploits for the [previously undisclosed flaw were](<http://thehackernews.com/2013/01/exploit-packs-updated-with-new-java.html>) being hosted in a number of [exploit kits](<http://thehackernews.com/2012/09/blackhole-exploit-kit-20-released-with.html>) and attacks have already been seen in the wild dropping ransomware and assorted other malware.\n\n \n\n\nSecurity Alert [CVE-2013-0422](<http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html>) include two [vulnerabilities](<http://thehackernews.com/2012/12/hunting-vulnerabilities-in-scada.html>) that are remotely executable. Oracle confirmed that the flaws were only present in Java 7 versions and did not impact Java on servers, Java desktop applications, or embedded Java.\n\n \n \n\n\nJava is used in 3 billion machines, about 2 billion of which are desktop or laptop computers. Similarly, Back in August last year, Oracle issued an urgent fix to seal a dangerous security flaw within its Java software that\u2019s left thousands of computers wide open to malicious attacks from hackers.\n\n \n\n\n**_Lamar Bailey_**, director of security research and development for [nCircle](<https://www.ncircle.com/>) said, \u201c_We\u2019re just two weeks into 2013 and already we\u2019ve seen a surge of critical vulnerabilities and emergency patches. Oracle just added 86 new fixes to overloaded IT teams already struggling to keep up with emergency patches for Java, Internet Explorer and Ruby on Rails._ \n_ \n_ _No matter how far behind IT teams are, they can\u2019t afford to ignore this massive Oracle patch. Oracle Mobile Server has two CVEs that have a CVSS score of ten, that\u2019s as bad as it gets. There are also two MySQL vulnerabilities that can be exploited remotely. All of these should be patched as soon as possible_.\u201d \n \nJanuary Patch include 86 security updates across all major product lines including [Oracle Database](<http://thehackernews.com/2012/05/oracle-database-new-zero-day-exploit.html>) and MySQL Server. Patches for a number of Oracle applications were released Tuesday, including nine for Oracle E-Business Suite (7 of which are remotely exploitable), 12 in Oracle PeopleSoft (7 remotely exploitable), 10 in Oracle Siebel CRM (5 remotely exploitable), and one each in Oracle Supply Chain Products Suite and Oracle JD Edwards Products.\n", "published": "2013-01-16T06:01:00", "cvss": {"score": 10, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://thehackernews.com/2013/01/oracle-patches-java-zero-day.html", "cvelist": ["CVE-2013-0422"], "lastseen": "2017-01-08T18:01:26"}], "packetstorm": [{"id": "PACKETSTORM:119472", "type": "packetstorm", "title": "Java Applet JMX Remote Code Execution", "description": "", "published": "2013-01-11T00:00:00", "cvss": {"score": 10, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://packetstormsecurity.com/files/119472/Java-Applet-JMX-Remote-Code-Execution.html", "cvelist": ["CVE-2013-0422"], "lastseen": "2016-12-05T22:18:05"}], "threatpost": [{"id": "EMERGENCY-ZERO-DAY-PATCH-DOES-NOT-QUIET-CALLS-DISABLE-JAVA-011413/77401", "type": "threatpost", "title": "Emergency Zero-Day Patch Does Not Quiet Calls to Disable Java", "description": "![Oracle patch](https://trtpost-wpengine.netdna-ssl.com/files/2013/04/oracle_patch_5.jpg)Oracle\u2019s emergency Java update this weekend for a [zero-day sandbox bypass vulnerability](<https://threatpost.com/nasty-new-java-zero-day-found-exploit-kits-already-have-it-011013/>) hasn\u2019t exactly kicked off a love-fest for the company among security experts. Researchers are still cautious about recommending users re-enable the ubiquitous software, despite the availability of the fix for the latest zero-day to target the platform. \n\nSome caution there are still ways to bypass a [heightened security configuration in the update](<http://www.oracle.com/technetwork/java/javase/7u-relnotes-515228.html>), and yet others remain concerned about fixes for vulnerabilities reported months ago that still have not been addressed.\n\n### Related Posts\n\n#### [Oracle Java Patch Update Pushes 2013 Totals Past Last Year](<https://threatpost.com/oracle-java-patch-update-pushes-2013-totals-past-last-year/101014/> \"Permalink to Oracle Java Patch Update Pushes 2013 Totals Past Last Year\" )\n\nJune 19, 2013 , 10:40 am\n\n#### [Oracle Addresses Java\u2019s Symptoms, But Doesn\u2019t Cure Sickness](<https://threatpost.com/oracle-addresses-javas-symptoms-but-doesnt-cure-sickness/100877/> \"Permalink to Oracle Addresses Java\u2019s Symptoms, But Doesn\u2019t Cure Sickness\" )\n\nJune 6, 2013 , 8:00 am\n\n#### [Mixed Reviews on Oracle\u2019s Java Security Update](<https://threatpost.com/mixed-reviews-on-oracles-java-security-update/100854/> \"Permalink to Mixed Reviews on Oracle\u2019s Java Security Update\" )\n\nMay 31, 2013 , 4:27 pm\n\nAdam Gowdiak of Security Explorations in Poland said Oracle has yet to address vulnerabilities reported in April and September of last year; the [September vulnerability](<https://threatpost.com/new-zero-day-vulnerability-found-java-5-6-and-7-11-billion-desktops-affected-092612/>), like the one fixed over the weekend, is a sandbox bypass vulnerability that would enable an attacker to remotely execute code.\n\n\u201c[This] is especially important as a critical vulnerability that affects all Java SE versions released over the [last] eight years or so,\u201d Gowdiak said. \u201cWe have confirmed that our proof of concept code for it works with flying colors under Java SE 7 Update 11 released yesterday.\u201d\n\nJaime Blasco, a researcher with AlienVault, echoes Gowdiak\u2019s concerns that users should continue to leave the Java browser plug-in disabled.\n\n\u201cI don\u2019t think it\u2019s very useful right now,\u201d Blasco said. \u201cI think right now you won\u2019t find Java applets on most websites; regular users don\u2019t need Java right now.\u201d\n\n[Oracle rushed Java 1.7u11 out the door on Sunday](<http://www.oracle.com/technetwork/java/javase/7u11-relnotes-1896856.html>), less than a week after the discovery of the vulnerability and exploits in the wild. The most noteworthy enhancement is that Oracle has changed Java\u2019s default security level setting to high from medium. As a result, unsigned or self-signed Java applications will no longer run by default; users will have to approve applets to run them.\n\n\u201cWith the \u2018High\u2019 setting, the user is always warned before any unsigned application is run to prevent silent exploitation,\u201d Oracle said in its advisory.\n\nBlasco said while this is a good first step, it would not prevent an attacker from tricking the user via social engineering, for example, to execute a malicious applet manually. Also, an attacker with a valid, stolen digital certificate could also, in theory, sign and execute a malicious applet.\n\nThe call to disable Java began again in earnest last Thursday when French researcher [Kafeine](<http://malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.html>) reported that he found websites hosting exploits for a new zero-day and that exploit kits such as Blackhole had already incorporated the exploit. Soon, most of the major exploit kits including Cool, Nuclear Pack, Sakura, and Redkit, had the exploits. By Friday, an exploit module for the zero-day had been added to [Metasploit](<https://community.rapid7.com/community/metasploit/blog/2013/01/11/omg-java-everybody-panic>), and it was game-on.\n\nHD Moore, Metasploit creator, said the issue in Java 7u10 was a privilege-escalation vulnerability ([CVE-2013-0422](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0422>)) in the MBeanInstantiator.\n\n\u201cA lot of the recent Java exploits use a technique similar to this one where they find a class that\u2019s already loaded in memory that accesses an object outside the sandbox, and then they use that object to load arbitrary code,\u201d Moore told Threatpost last week. \u201cIt\u2019s about as bad as you can get in terms of a reliable Java exploit that affects the latest version of Java 1.7. It\u2019s already being used by all the bad guys and at this point, it\u2019s just catch-up and how fast Oracle can respond.\u201d\n\nFireEye reported last week, and Blasco confirmed today, that some [exploits are serving up ransomware](<https://threatpost.com/incomplete-java-patch-paved-way-latest-zero-day-mess-011113/>). Now that the exploits are part of kits, any payload from banking Trojans, to keyloggers or botnets can be added, researchers said.\n\n\u201cHaving this in the exploit kits is the worst possible scenario; exploit kits are one of the biggest security issues users are facing,\u201d Blasco said. \u201cIf you are a cybercriminal and have money, you will get something that works. You can buy anything, even without knowing anything about coding exploits.\u201d\n\nJava\u2019s availability on numerous platforms from Windows to Linux to Mac OS X makes it an [attractive target for exploit writers](<https://threatpost.com/security-experts-recommend-long-hard-look-disabling-java-browser-plug-100412/>). A reliable exploit will run anywhere.\n\n\u201cIf you have an exploit for memory issues and the exploit is reliable, you don\u2019t have to code a different exploit for different languages or platforms, it just works everywhere. You will have 100 percent probability of exploiting the target if it is vulnerable to that issue.\u201d", "published": "2013-01-14T16:40:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://threatpost.com/emergency-zero-day-patch-does-not-quiet-calls-disable-java-011413/77401/", "cvelist": ["CVE-2013-0422"], "lastseen": "2016-09-04T20:49:13"}, {"id": "ADP-THEMED-PHISHING-EMAILS-LEAD-BLACKHOLE-SITES-011413/77402", "type": "threatpost", "title": "ADP-Themed Phishing Emails Lead to Blackhole Sites", "description": "Scammers are spamming out malicious emails purporting to come from payroll processing company ADP, according Dancho Danchev of Webroot.\n\nThe emails arrive under the subject line \u201cADP Immediate Notifications\u201d and contain links to compromised websites hosting the latest iteration of the[ Blackhole exploit kit](<https://threatpost.com/cool-blackhole-exploit-kits-created-same-hacker-010913/>). The kit is serving CVE-2013-0422 Java exploit, which Danchev claimed was still active when he published his report. However, [Oracle appears to have patched the bug sometime yesterday](<http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html>).\n\n### Related Posts\n\n#### [Inside the Demise of the Angler Exploit Kit](<https://threatpost.com/inside-the-demise-of-the-angler-exploit-kit/120222/> \"Permalink to Inside the Demise of the Angler Exploit Kit\" )\n\nAugust 30, 2016 , 2:25 pm\n\n#### [$2.5 Million-a-Year Ransomware-as-a-Service Ring Uncovered](<https://threatpost.com/2-5-million-a-year-ransomware-as-a-service-ring-uncovered/119902/> \"Permalink to $2.5 Million-a-Year Ransomware-as-a-Service Ring Uncovered\" )\n\nAugust 16, 2016 , 9:55 am\n\n#### [Researchers Go Inside a Business Email Compromise Scam](<https://threatpost.com/researchers-go-inside-a-business-email-compromise-scam/119576/> \"Permalink to Researchers Go Inside a Business Email Compromise Scam\" )\n\nAugust 4, 2016 , 10:00 am\n\nThe exploit is dropping the \u2018Win32/Cridex.E\u2019 and \u2018Win32/Farei\u2019 Trojans, which are detected by 12 and eight out of 46 antivirus scanners respectively. After exploitation, the malware is phoning home to command and control servers at the following IP addresses: 173.201.177.77, 132.248.49.112, 95.142.167.193, and 81.93.250.157.\n\nThe campaign makes use of a healthy list of suspicious looking URLs that you can check out along with [Danchev\u2019s write-up](<http://blog.webroot.com/2013/01/14/fake-adp-speedy-notifications-lead-to-client-side-exploits-and-malware/>). It\u2019s fairly commonplace for social engineers [to mimic ADP in their phishing campaigns](<https://threatpost.com/fake-adp-and-fdic-notifications-leading-users-blackhole-exploit-kit-091412/>) because of the vastness of the company\u2019s payroll operation.\n\n![ADP Notification](https://trtpost-wpengine.netdna-ssl.com/files/2013/04/adp_notification.jpg)", "published": "2013-01-14T18:29:00", "cvss": {"score": 10, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://threatpost.com/adp-themed-phishing-emails-lead-blackhole-sites-011413/77402/", "cvelist": ["CVE-2013-0422"], "lastseen": "2016-09-04T20:45:06"}, {"id": "NBC-WEBSITE-HACKED-LEADING-VISITORS-CITADEL-BANKING-MALWARE-022113/77554", "type": "threatpost", "title": "NBC Website Hacked, Leading Visitors to Citadel Banking Malware", "description": "Another day, another media company hacked. This time it\u2019s NBC which has fallen to victim hackers on the heels of compromises of the _[New York Times](<https://threatpost.com/inside-targeted-attack-new-york-times-013113/>)_ and _Wall Street Journal _websites. Various experts have confirmed that NBC\u2019s website is compromised and leading visitors to the dangerous [Citadel banking Trojan](<https://www.google.com/url?q=http://threatpost.com/en_us/blogs/citadel-trojan-it-s-not-just-banking-fraud-anymore-020113&sa=U&ei=wosmUfPPKYei2QXMy4C4Ag&ved=0CAoQFjAB&client=internal-uds-cse&usg=AFQjCNHMrwHVyHwOjJNPZQxj_el4hxq2wQ>). The site is reportedly hosting an iframe that is redirecting visitors to sites hosting the RedKit Exploit Kit which is serving up the Citadel malware. \n\n\n[The HitmanPro blog](<http://hitmanpro.wordpress.com/2013/02/21/nbc-com-hacked-serving-up-citadel-malware/>) said there were two malicious links on the NBC site connecting to the exploits, one on the home page and another on an internal page. The links serve Java and PDF exploits that drop Citadel; the Java exploit is the same [sandbox bypass vulnerability](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0422>) patched in Java 7u11.\n\n### Related Posts\n\n#### [Citadel Variant Used in Attacks Against Middle Eastern Petrochemical Companies](<https://threatpost.com/citadel-variant-used-in-attacks-against-middle-eastern-petrochemical-companies/108293/> \"Permalink to Citadel Variant Used in Attacks Against Middle Eastern Petrochemical Companies\" )\n\nSeptember 16, 2014 , 11:10 am\n\n#### [Citadel Trojan Variant Delivers Localized Content, Targets Amazon Customers](<https://threatpost.com/citadel-trojan-variant-delivers-localized-content-targets-amazon-customers/101112/> \"Permalink to Citadel Trojan Variant Delivers Localized Content, Targets Amazon Customers\" )\n\nJune 27, 2013 , 2:34 pm\n\n#### [Citadel Trojan: It\u2019s Not Just for Banking Fraud Anymore](<https://threatpost.com/citadel-trojan-it-s-not-just-banking-fraud-anymore-020113/77481/> \"Permalink to Citadel Trojan: It\u2019s Not Just for Banking Fraud Anymore\" )\n\nFebruary 1, 2013 , 6:08 pm\n\nThe site remained infected as of 3:30 p.m. ET as attackers were rotating out the iframes regularly, each pointing to a number of attack pages, including a site with a Russian name that translates to my-new-sploit [dot]com.\n\nResearchers at Kaspersky Lab confirmed the redirections are leading victims to Citadel and Zeus (Trojan-Spy.Win32.Zbot.jfgj). Citadel is a version of Zeus and is used primarily for banking fraud. Experts say it is sold only in the Russian underground and only to certain customers in order to keep support costs down and reduce the risk of infiltration by law enforcement.\n\nIndependent security consultant Dancho Danchev [tied the NBC attacks to a recent spam campaign targeting Facebook and Verizon](<http://ddanchev.blogspot.com/2013/02/dissecting-nbcs-exploits-and-malware.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+DanchoDanchevOnSecurityAndNewMedia+\\(Dancho+Danchev+-+Mind+Streams+of+Information+Security+Knowledge!\\)>). Danchev said cybercriminals were trying to impersonate Facebook and trick users into thinking their accounts had been shut down. Malicious links used in the spam messages pointed to sites hosting exploits served by the Black Hole Exploit Kit.\n\nDanchev said one of the domains used in the NBC attack matches one used in the Facebook spam campaign, while an email address used to register another domain in the NBC attack matches one similarly used in a campaign against Verizon.\n\n\u201cSomeone\u2019s multitasking,\u201d Danchev said. \u201cThat\u2019s for sure.\u201d\n\nNBC image via [Xurble](<http://www.flickr.com/photos/xurble/>)\u2018s Flickr phtoostream, Creative Commons", "published": "2013-02-21T21:07:00", "cvss": {"score": 10, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://threatpost.com/nbc-website-hacked-leading-visitors-citadel-banking-malware-022113/77554/", "cvelist": ["CVE-2013-0422"], "lastseen": "2016-09-04T20:45:26"}, {"id": "JAVA-7U11-UPDATE-ADDRESSES-ONLY-ONE-TWO-ZERO-DAY-VULNERABILITIES-011713/77417", "type": "threatpost", "title": "Java 7u11 Update Addresses Only One of Two Zero-Day Vulnerabilities", "description": "Microsoft can take some solace that it is not alone in sending out security updates that don\u2019t fully address a zero-day vulnerability. A researcher at Immunity Inc., put Oracle on a similar hot seat this week when he reported that a recent [out-of-band Java update](<https://threatpost.com/emergency-zero-day-patch-does-not-quiet-calls-disable-java-011413/>) repaired only one of two Java flaws being actively exploited.\n\nEsteban Guillardoy said the [Java 1.7 u11 update was incomplete](<http://immunityproducts.blogspot.com.ar/2013/01/confirmed-java-only-fixed-one-of-two.html>) and cautioned that new exploits could easily pair another zero-day with the remaining unpatched vulnerability and kick off a new spate of attacks.\n\n### Related Posts\n\n#### [Oracle Releases Record Number of Security Patches](<https://threatpost.com/oracle-releases-record-number-of-security-patches/115957/> \"Permalink to Oracle Releases Record Number of Security Patches\" )\n\nJanuary 20, 2016 , 2:32 pm\n\n#### [Custom Google App Engine Tweak Still Leads to Java Sandbox Escapes](<https://threatpost.com/custom-google-app-engine-tweak-still-leads-to-java-sandbox-escapes/115132/> \"Permalink to Custom Google App Engine Tweak Still Leads to Java Sandbox Escapes\" )\n\nOctober 22, 2015 , 9:06 am\n\n#### [Java Reflection API Woes Resurface in Latest Oracle Patches](<https://threatpost.com/java-reflection-api-woes-resurface-in-latest-oracle-patches/108847/> \"Permalink to Java Reflection API Woes Resurface in Latest Oracle Patches\" )\n\nOctober 15, 2014 , 9:55 am\n\n\u201cAn attacker with enough knowledge of the Java code base and the help of another zero day bug to replace the one fixed can easily continue compromising users,\u201d Guillardoy said.\n\nMeanwhile, IT managers are caught in the middle of a patch management mess. Since the start of the year, not only have a rash of unreported vulnerabilities been exploited in high-profile attacks, but vendor patches or workarounds have fallen short.\n\nMicrosoft\u2019s temporary Fix It for a zero-day in Internet Explorer that was being exploited in [watering hole attacks](<https://threatpost.com/council-foreign-relations-website-hit-watering-hole-attack-ie-zero-day-exploit-122912/>) was quickly [bypassed by researchers at Exodus Intelligence](<https://threatpost.com/researchers-bypass-microsoft-fix-it-ie-zero-day-010413/>). Users of IE 6-8\u2014still the largest install base of the browser\u2014were exposed as early as Dec. 7 when websites serving exploits were first detected; they were publicly reported shortly after Christmas Day. Microsoft made its Fix It available Dec. 29; the bypass was reported Jan. 4 and users remained open to attack until an out-of-band patch was released on Monday.\n\nOracle, meanwhile, won\u2019t have another official Java security update release until Feb. 19. Security Explorations of Poland, a research firm known for its work on Java vulnerabilities, said it reported flaws to Oracle in April and September of last year that still have not been patched.\n\nOracle may have another zero day to add to its list for February as well. Security blog [Krebs on Security](<http://krebsonsecurity.com/2013/01/new-java-exploit-fetches-5000-per-buyer/>) reported yesterday another exploit for a different zero day was being sold on a limited basis for $5,000. The blog reported that two versions of the exploit were available\u2014weaponized and source code\u2014and that the sale would be limited to two buyers. A post on the underground forum where this was observed said the new exploit had not been included in any exploit kit, unlike the previous Java zero day which was included in all the major packs including Blackhole, Cool, Nuclear Pack and others. The post has since been removed from the forum, likely indicated the sale is over.\n\nIn the meantime, Oracle has to shore up the Java vulnerability it thought had been patched in 7u11. The Oracle patch was believed to have addressed two vulnerabilities, both covered by [CVE-2012-0422](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0422>). According to [Oracle\u2019s Java SE documentation](<http://docs.oracle.com/javase/6/docs/technotes/guides/reflection/index.html>), one of the bugs involves reflection, which enables Java to discover information about the constructors and other devices in loaded classes and to operate on underlying counterparts within security restriction. The API, Oracle said, is the go-between for applications.\n\nThe second vulnerability in question is in the MBeanInstantiator, a flaw that when used with the reflection API with recursion bypasses a security check, the Java sandbox. It is the MBeanInstantiator vulnerability that Immunity\u2019s Guillardoy said has not been addressed in the update.\n\n\u201cThe patch (which is Java 7 update 11) doesn\u2019t show any difference at all in the classes inside com.sun.jmx.mbeanserver package,\u201d he wrote. \u201cIt appears then that the MBeanInstantiator.findClass vulnerability is still there in the latest Java update.\u201d\n\nHe said he wrote a simple proof of concept that retrieved restricted Java classes, proving an exploit is still possible.\n\n\u201cSometimes for everyone involved in the offensive world, you need to look at the patch with special detail, because sometimes the vendor stops the worm/0day exploit with a patch, but doesn\u2019t necessary fix all of the associated problems,\u201d Guillardoy wrote. \u201cAnd of course, being only human, sometimes the vendor\u2019s team just plain messes up the patch.\u201d\n\nOracle released Java 1.7u11 on Sunday, four days after exploits were discovered in the wild. The update not only said it addressed vulnerabilities being exploited, but also chanced the default Java security level from medium to high. As a result, any unsigned or self-signed Java applications would no longer run by default and would require a user to approve execution of the applet.\n\nSecurity experts said it was a good first step, but an attacker could still use social engineering to trick a user into executing a malicious Java applet. Attackers could also steal valid digital certificates and sign malicious applets so that they would run without intervention.\n\nWhile these [Java exploits](<https://www.securelist.com/en/blog/208193822/The_Current_Web_Delivered_Java_0day>) were targeting Windows machine, Java\u2019s ubiquity on all platforms makes it an attractive target for attackers.\n\n\u201cIf you have an exploit for memory issues and the exploit is reliable, you don\u2019t have to code a different exploit for different languages or platforms, it just works everywhere,\u201d said Jaime Blasco, manager of AlienVault Labs. \u201cYou will have 100 percent probability of exploiting the target if it is vulnerable to that issue.\u201d\n\n_This article was updated on Jan. 17 to clarify that CVE-2012-0422 covers both Java vulnerabilities. _", "published": "2013-01-17T15:34:00", "cvss": {"score": 10, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://threatpost.com/java-7u11-update-addresses-only-one-two-zero-day-vulnerabilities-011713/77417/", "cvelist": ["CVE-2012-0422", "CVE-2013-0422"], "lastseen": "2016-09-04T20:50:41"}, {"id": "REPORT-MALVERTISING-CAMPAIGN-THRIVES-DYNAMIC-DNS-021113/77514", "type": "threatpost", "title": "Report: Malvertising Campaign Thrives on Dynamic DNS", "description": "A malvertising campaign that\u2019s lasted almost half a year is staying alive thanks to infected web advertisements being circulated by otherwise clean ad networks.\n\nThe campaign, now in its fifth month, relies on the Dynamic Domain Name System (DDNS) to keep it from being caught according to a report from Symantec\u2019s [Security Response blog](<https://threatpost.com/report-malvertising-campaign-thrives-dynamic-dns-021113/>) that likens its relationship to a \u201cnever-ending story.\u201d\n\n### Related Posts\n\n#### [Malvertising Campaign Pushing Neutrino Exploit Kit Shut Down](<https://threatpost.com/malvertising-campaign-pushing-neutrino-exploit-kit-shut-down/120322/> \"Permalink to Malvertising Campaign Pushing Neutrino Exploit Kit Shut Down\" )\n\nSeptember 1, 2016 , 2:46 pm\n\n#### [AdGholas Malvertising Campaign Leveraged Steganography, Filtering](<https://threatpost.com/adgholas-malvertising-campaign-leveraged-steganography-filtering/119571/> \"Permalink to AdGholas Malvertising Campaign Leveraged Steganography, Filtering\" )\n\nJuly 29, 2016 , 1:57 pm\n\n#### [Mac Adware OSX.Pirrit Unleashes Ad Overload, For Now](<https://threatpost.com/mac-adware-osx-pirrit-unleashes-ad-overload-for-now/117273/> \"Permalink to Mac Adware OSX.Pirrit Unleashes Ad Overload, For Now\" )\n\nApril 7, 2016 , 5:55 pm\n\nAttackers have been leveraging the ads by inserting their own obfuscated JavaScript into ad network ads. The JavaScript helps attackers gauge whether or not victims are running older versions of Internet Explorer and from there, installs tracking cookies and redirects users to a sketchy domain of their choosing.\n\nThe domains change often \u2013 Symantec notes it\u2019s seen the campaign filter users through more than 50 different URLs since its inception in October 2012.\n\nOnce guided to the site, the campaign recognizes the user\u2019s build of Java so multiple JAR files can be dropped onto the system.\n\nThe JAR files target a handful of IE-related Java vulnerabilities ([CVE-2012-4681](<https://threatpost.com/oracle-releases-fix-java-cve-2012-4681-flaw-083012/>) and [CVE-2013-0422](<https://threatpost.com/attackers-exploit-java-compromises-reporters-without-borders-site-012313/>)) and builds a dynamic-link library (DLL) which then allows attackers to download malware to the machine.\n\nAccording to Cisco\u2019s 2013 Annual Security Report [issued last month](<https://threatpost.com/report-mainstream-websites-host-majority-malware-013113/>), malvertising, the delivery of malware via online ads, \u201cplayed a more significant role in web malware encounters in 2012 than in 2011,\u201d with about 83 percent of malware on the web coming from malicious iframes and scripts last year.", "published": "2013-02-11T20:40:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://threatpost.com/report-malvertising-campaign-thrives-dynamic-dns-021113/77514/", "cvelist": ["CVE-2012-4681", "CVE-2013-0422"], "lastseen": "2016-09-04T20:45:35"}, {"id": "ATTACKERS-EXPLOIT-JAVA-COMPROMISES-REPORTERS-WITHOUT-BORDERS-SITE-012313/77443", "type": "threatpost", "title": "Attackers Exploit Java, Compromise Reporters Without Borders Site", "description": "[![Java](https://trtpost-wpengine.netdna-ssl.com/files/2013/04/java_targeted.img_assist_custom-93x93.jpg)](<https://threatpost.com/attackers-exploit-java-compromises-reporters-without-borders-site-012313/>)The [Java saga](<https://threatpost.com/its-time-abandon-java-012113/>) continued when unknown, and apparently well concealed goons exploited recent Java and Internet Explorer zero-days to compromise the website of the French-based, free-press advocacy group, Reporters Without Borders. The attack, which attempted to take advantage of the time-gulf that separates Oracle\u2019s patch release from their users\u2019 application of it, is part of a [watering hole campaign](<https://threatpost.com/council-foreign-relations-website-hit-watering-hole-attack-ie-zero-day-exploit-122912/>) also targeting [Tibetan](<https://threatpost.com/new-trojan-mac-used-attacks-tibetan-ngos-032112/>) and Uygur human rights groups as well as Hong Kong and Taiwanese political parties and other non-governmental organizations.\n\n[Writing on the Avast Security blog](<https://blog.avast.com/2013/01/22/reporters-without-borders-website-misused-in-wateringhole-attack/>), Jindrich Kubec claims it is safe to assume that China is behind these attacks. Kubec\u2019s assertion appears to be based, at least in part, on the reality that visitors to the [watering hole](<https://threatpost.com/ie-zero-day-watering-hole-attack-expands-handful-political-sites-010313/>) sites (and the sites themselves for that matter), are, for lack of a better way to put it, individuals, organizations, and political entities that the People\u2019s Republic publically does not like.\n\n### Related Posts\n\n#### [Threatpost News Wrap, August 19, 2016](<https://threatpost.com/threatpost-news-wrap-august-19-2016/120003/> \"Permalink to Threatpost News Wrap, August 19, 2016\" )\n\nAugust 19, 2016 , 9:00 am\n\n#### [Patched IE Zero Day Incorporated into Neutrino EK](<https://threatpost.com/patched-ie-zero-day-incorporated-into-neutrino-ek/119321/> \"Permalink to Patched IE Zero Day Incorporated into Neutrino EK\" )\n\nJuly 15, 2016 , 4:16 pm\n\n#### [Congressional Report: China Hacked FDIC And Agency Covered It Up](<https://threatpost.com/congressional-report-china-hacked-fdic-and-agency-covered-it-up/119276/> \"Permalink to Congressional Report: China Hacked FDIC And Agency Covered It Up\" )\n\nJuly 13, 2016 , 4:23 pm\n\nThe watering hole attack is a social engineering technique whereby attackers attempt to compromise websites that are not directly or officially related to their intended targets but which they believe members of an intended target organization are likely to visit.\n\nAccording to the Avast report, the attackers used the recent Internet Explorer and Java vulnerabilities, identified as CVE-2012-4792 and CVE-2013-0422 respectively. Microsoft resolved the IE bug with [MS13-008](<https://threatpost.com/out-band-ie-patch-released-more-sites-attacked-011413/>) and Oracle fixed theirs with [Java 7 update 11](<https://threatpost.com/newest-java-7-update-still-exploitable-researcher-says-090412/>).\n\nIn the end, if the exploits succeed they will infect victim machines with either a [remote access trojan](<https://threatpost.com/fakem-rat-mimics-normal-network-traffic-011813/>) that phones home to the Singapore-based \u201cluckmevnc.myvnc.com\u201d (IP address 112.140.186.252) or an injector that flashes a fake error page while downloading a similar remote access tool that communicates with the Hong Kong-based \u201cd.wt.ikwb.com\u201d (58.64.179.139).\n\nAn English version of the Reporters Without Borders site contained a suspicious jacvascript inclusion. That inclusion creates a cookie called \u201csomethingbbbbb\u201d designed to expire after one day. The same cookie was used in similar attacks a few years ago and Kubec believes it could be related to the legitimate m.js cookie, \u201csomethingeeee,\u201d used by a Honk Kong political party.\n\nKubec also determined that an iframe from hxxp://newsite.acmetoy.com/m/d/pdf.html targeted users visiting the site in IE 8. There were an additional two iframes, hxxp://newsite.acmetoy.com/m/d/pdf.html and hxxp://newsite.acmetoy.com/m/d/javapdf.html reserved for those that visited the site on a browser other than IE.\n\nAccording to Kubec\u2019s analysis of newsite.acmetoy.com, a number of files relating to the IE exploit listed above, including a DOITYOUR obfuscated Javascript file which attempts to exploit the latest Internet Explorer vulnerability as well as DOITYOUR variants of \u201ctoday.swf,\u201d \u201cnews.html,\u201d and \u201crobots.txt.\u201d\n\nThe site also attempted to exploit at least one other Java vulnerability from back in 2011 as well (CVE-2011-3544) and contained the related files, \u201cjavapdf.html,\u201d a javascript file for both vulnerabilities, \u201cAppletHigh.jar,\u201d a CVE-2013-0422 exploit, and \u201cAppletLow.jar,\u201d a CVE-2011-3544 exploit.\n\nIn an analysis of other site (98.129.194.210), Kubec found that it contained the same malicious Java-related content and reasons that it probably serves as a backup to the first in the event of a takedown.\n\nAvast said it notified Reporters Without Borders.", "published": "2013-01-23T18:53:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://threatpost.com/attackers-exploit-java-compromises-reporters-without-borders-site-012313/77443/", "cvelist": ["CVE-2012-4792", "CVE-2011-3544", "CVE-2013-0422"], "lastseen": "2016-09-04T20:46:38"}, {"id": "NSA-WHISTLEBLOWER-ARTICLE-REDIRECTS-TO-MALWARE/100930", "type": "threatpost", "title": "Free Beacon Article Redirects to ZeroAccess Rootkit, Fake AV", "description": "**Update:** _Aaron Harison, president of the Center for American Freedom, told Threatpost this morning that the issue has been resolved and the site is no longer serving malware. _** **\n\nHackers have latched on to the NSA surveillance story\u2014literally.\n\n### Related Posts\n\n#### [Inside the Demise of the Angler Exploit Kit](<https://threatpost.com/inside-the-demise-of-the-angler-exploit-kit/120222/> \"Permalink to Inside the Demise of the Angler Exploit Kit\" )\n\nAugust 30, 2016 , 2:25 pm\n\n#### [$2.5 Million-a-Year Ransomware-as-a-Service Ring Uncovered](<https://threatpost.com/2-5-million-a-year-ransomware-as-a-service-ring-uncovered/119902/> \"Permalink to $2.5 Million-a-Year Ransomware-as-a-Service Ring Uncovered\" )\n\nAugust 16, 2016 , 9:55 am\n\n#### [Popular Anime Site Infected, Redirecting to Exploit Kit, Ransomware](<https://threatpost.com/popular-anime-site-infected-redirecting-to-exploit-kit-ransomware/118890/> \"Permalink to Popular Anime Site Infected, Redirecting to Exploit Kit, Ransomware\" )\n\nJune 24, 2016 , 7:00 am\n\nA news story on the outing of whistleblower Edward Snowden posted to the Washington Free Beacon is serving malware redirecting visitors to a malicious site where more malware awaits. The Free Beacon site remains infected, according to Invincea researchers, who said they have contacted the news organization about the attack. The story is being linked to by the popular Drudge Report and it\u2019s likely to have snared a pretty good number of victims so far.\n\nThe attack on the Free Beacon is similar to a previous [watering hole attack carried out against a number of other Washington, D.C.-based media outlets](<http://threatpost.com/d-c-media-sites-hacked-serving-fake-av/>), including radio station WTOP, Federal News Radio and the site of technology blogger John Dvorak. Invincea researcher Eddie Mitchell wrote on the company\u2019s blog that several other Free Beacon pages are also serving javascript, including the site\u2019s main index page. The javascript drops an iframe that sends traffic offsite to a page hosting the Fiesta Exploit Kit.\n\n\u201cThis exploit appears to be the same as used against other media sites to infect readers of these websites and part of a concerted campaign against media sites to infect their visitors by exploiting vulnerabilities in Java,\u201d Mitchell wrote. \u201c\n\nMitchell cautions that this attack isn\u2019t being detected yet by security companies because signatures associated with the attack are different from previous campaigns.\n\nThe Free Beacon attack is infecting users with the [ZeroAccess rootkit](<http://threatpost.com/microsofts-curbs-click-fraud-in-zeroaccess-fight/>), as well as scareware. ZeroAccess is a virulent [peer-to-peer botnet](<http://threatpost.com/number-of-peer-to-peer-botnets-grows-5x/>) that has been folded into a number of commercial exploit kits including Blackhole. The malware makes an outbound communication requests to a number of command and control servers including e-zeeinternet[.]com, cinnamyn[.]com and twinkcam[.]net, from where the additional malware is loaded onto victim machines.\n\nA little more than a month ago, the campaigns against WTOP and sister station Federal News Radio were discovered. The exploits targeted Java and Adobe plug-ins and were used to spread scareware. Content on both stations is heavily political and the attacks could have been a jumping off point for a larger attack against federal employees who use the site as a resource. Unlike other watering hole attacks that lead to espionage campaigns against activists or political leaders, this one was serving malware usually associated with the cybercrime.\n\nThe Dvorak site was also attacked a month ago and malware was discovered on the site\u2019s [WordPress configuration files](<http://threatpost.com/hackers-using-brute-force-attacks-harvest-wordpress-sites-041513/>). Invincea said at the time that it used Internet Explorer with Java and Adobe Reader and Flash plug-ins loaded into the browser and was immediately attacked. The browser was pulling a Java app from the attacker\u2019s site and connecting to one of two Russian domains downloading Amsecure malware, which is part of the Kazy malware family, which is known for ransomware and scareware attacks. Three Java and Reader exploits were discovered on the Dvorak site: CVE-2013-0422; CVE-2009-0927; and CVE-2010-0188. These exploits lead to landing page hosting the Black Hole exploit kit and the Amsecure attacks.", "published": "2013-06-10T16:17:00", "cvss": {"score": 10, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://threatpost.com/nsa-whistleblower-article-redirects-to-malware/100930/", "cvelist": ["CVE-2009-0927", "CVE-2010-0188", "CVE-2013-0422"], "lastseen": "2016-09-04T20:45:07"}, {"id": "NEW-WEB-BASED-MINIDUKE-COMPONENTS-DISCOVERED-031113/77610", "type": "threatpost", "title": "New Web-Based MiniDuke Components Discovered", "description": "Researchers at Kaspersky Lab and CrySys Lab have discovered files buried inside a MiniDuke command and control server that indicate the presence of a Web-based facet of the campaign that initially targeted government agencies, primarily in Europe.\n\nUsers are likely lured to the malicious webpages via spear phishing messages containing a link to the attack site. The site, which remains active, is serving exploits for patched vulnerabilities in Java and Internet Explorer, researcher Igor Soumenkov wrote on the [Securelist](<http://www.securelist.com/en/blog/208194159/Miniduke_web_based_infection_vector>) blog today.\n\n### Related Posts\n\n#### [DNC Hacked, Research on Trump Stolen](<https://threatpost.com/dnc-hacked-research-on-trump-stolen/118656/> \"Permalink to DNC Hacked, Research on Trump Stolen\" )\n\nJune 14, 2016 , 3:06 pm\n\n#### [Stealthy GlassRAT Spies on Commercial Targets](<https://threatpost.com/stealthy-glassrat-spies-on-commercial-targets/115453/> \"Permalink to Stealthy GlassRAT Spies on Commercial Targets\" )\n\nNovember 23, 2015 , 2:58 pm\n\n#### [New Hammertoss Espionage Tool Tied to MiniDuke Gang](<https://threatpost.com/new-hammertoss-espionage-tool-tied-to-miniduke-gang/113996/> \"Permalink to New Hammertoss Espionage Tool Tied to MiniDuke Gang\" )\n\nJuly 29, 2015 , 8:00 am\n\nSoumenkov said the attack site hosts a pair of frames, one that loads a webpage from a legitimate organization involved in the rebuilding and modernization of Iraq. In addition to the decoy page, a malicious page acts as a \u201cprimitive exploit pack,\u201d Soumenkov said, determining the browser used to visit the attack site and then serves the appropriate exploit. Data collected is also sent to the attacker\u2019s server.[![](https://trtpost-wpengine.netdna-ssl.com/files/2013/04/miniduke_0.jpg)](<https://threatpost.com/new-web-based-miniduke-components-discovered-031113/>)\n\n\u201cThe exploits are located in separate webpages,\u201d Soumenkov wrote. \u201cClients using Internet Explorer version 8 are served with about.htm, for other versions of the browser and for any other browser capable of running Java applets, the javascript code loads JavaApplet.html.\u201d\n\nThe Java file loads a Java class file that exploits [CVE-2013-0422](<https://threatpost.com/nasty-new-java-zero-day-found-exploit-kits-already-have-it-011013/>), a vulnerability affecting Java 7u10 and older that bypasses the built-in sandbox in Java to allow remote code execution. Soumenkov said the exploit is coded slightly differently than others exploiting this vulnerability, including the Metasploit module, likely to avoid detection by security software. Oracle patched this vulnerability on Jan. 13; the applet was uploaded on Feb. 11, Soumenkov said.\n\nOnce the Java shellcode is executed, it launches an encrypted DLL and writes it to a temporary Java directory with the name ntuser.bin. It then copies the rundll.32.exe system file to the same directory along with another executable that loads the main module of Miniduke.\n\nMiniduke then reaches out to a pre-seeded Twitter post hosting a URL connecting it to the command and control server to download further instructions.\n\nThe IE 8 exploit behaves similarly, but exploits [CVE-2012-4792](<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4792>), which was [patched in December by Microsoft](<https://threatpost.com/out-band-ie-patch-released-more-sites-attacked-011413/>). A Metasploit module was released Dec. 29 and the [Microsoft Security Update MS13-008](<http://technet.microsoft.com/en-us/security/bulletin/ms13-008>) on Jan. 14. Like its Java counterpart, this exploit page was uploaded Feb. 11.\n\nThe shellcode used in the IE attack downloads a GIF image from the command and control server then decrypts the portable executable file hidden in the image.\n\n\u201cThe PE file also appeared to be a modification of the Miniduke\u2019s main backdoor module that uses the same Twitter URL as the Java payload,\u201d Sumenkov wrote.\n\nMiniDuke surfaced on Feb. 27 and originally were thought to be just a phishing campaign where targets were emailed malicious PDF files pretending to be Ukraine\u2019s foreign policy and NATO membership plans, as well as information for a phony human rights seminar. The PDF attacks targeted CVE-2013-0640, an Adobe Reader vulnerability that had been patched a week earlier. Attackers were able to cope and move files, create new directories, kill processes and install additional malware. MiniDuke was the second successful Reader sandbox bypass.\n\nMiniDuke stood out for researchers for its use of steganography to hide custom backdoor code, as well as using Twitter to reach URLs pointing to command and control servers. Another unique feature of MiniDuke was its use of a small downloader written in an old-school Assembler language used to gather system information unique to the compromised machine.\n\n\u201cThis is a unique and very strange attack. The many different targets hit in separate countries, together with the high profile appearance of the decoy documents and the weird backdoor functionality indicate an unusual threat actor,\u201d said the original Kaspersky and CrySyS report. \u201cSome of the elements remind us of both Duqu and Red October, such as the minimalistic approach, hacked servers, encrypted channels but also the typology of the victims.\u201d", "published": "2013-03-11T16:29:00", "cvss": {"score": 10, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://threatpost.com/new-web-based-miniduke-components-discovered-031113/77610/", "cvelist": ["CVE-2013-0640", "CVE-2012-4792", "CVE-2013-0422"], "lastseen": "2016-09-04T20:53:38"}, {"id": "D-C-MEDIA-SITES-HACKED-SERVING-FAKE-AV/100268", "type": "threatpost", "title": "Hacked Media Sites Serving Fake AV Malware", "description": "Websites belonging to a number of Washington, D.C.-area media outlets have been compromised in a series of opportunistic attacks with criminals using a watering-hole tactic to spread scareware, or phony antivirus software.\n\nPopular D.C. radio station WTOP, sister station Federal News Radio, and the site of technology blogger John Dvorak, were infected with exploits targeting third-party Java or Adobe browser plug-ins. The exploits redirect site visitors to an exploit kit serving a scareware executable known as Amsecure.\n\n### Related Posts\n\n#### [Tuto4PC Utilities Silently Install 12M Backdoors, Cisco](<https://threatpost.com/tuto4pc-utilities-silently-install-12m-backdoors-cisco/117704/> \"Permalink to Tuto4PC Utilities Silently Install 12M Backdoors, Cisco\" )\n\nApril 27, 2016 , 1:23 pm\n\n#### [Scareware Campaign Targets Mac OS X Machines](<https://threatpost.com/scareware-campaign-targets-mac-os-x-machines/116164/> \"Permalink to Scareware Campaign Targets Mac OS X Machines\" )\n\nFebruary 5, 2016 , 11:31 am\n\n#### [Chinese Hackers Compromised Forbes.com Using IE, Flash Zero Days](<https://threatpost.com/chinese-hackers-compromised-forbes-com-using-ie-flash-zero-days/110996/> \"Permalink to Chinese Hackers Compromised Forbes.com Using IE, Flash Zero Days\" )\n\nFebruary 11, 2015 , 4:07 pm\n\nAs of Tuesday morning, WTOP was still serving malware. The source of the attacks on WTOP and Federal News Radio has not been determined, and it still could be that these are a jumping off point for a larger attack against Federal employees who frequent those sites as a D.C. news source. Media sites have been targeted with more frequency in recent months, and on a variety of levels. But for now, experts are not calling these targeted attacks.\n\n\u201cTypically with \u2018watering hole\u2019 style attacks, the threat actors are targeting a very specific group of users or organizations in order to implant malware (remote access Trojan) that allows for access to the victim\u2019s network (as we saw with the recent DoL compromise),\u201d said [Invincea](<http://www.invincea.com/2013/05/k-i-a-wtop-com-fednewsradio-and-dvorak-blog-site-serving-malware-media-sites-compromised-to-push-fake-av/>) in a statement provided to Threatpost. \u201cIn the case of these three sites which are obviously visited by a much larger audience and based on the type of malware observed (crimeware vs. RAT) our assumption is that a specific user group is more than likely not being targeted. Theft of online credentials and/or loss of additional PII is the likely goal of the attacker in these cases.\u201d\n\nZscaler, meanwhile, said [the three attacks shared another commonality](<http://research.zscaler.com/2013/05/popular-media-sites-involved-in-mass.html>): the attack sites were hosted at dynamic DNS providers and the attacks are triggered only when it detects the user is visiting via Internet Explorer. Zscaler also identified three media other sites as compromised: The Christian Post, Real Clear Science and Real Clear Policy.\n\nThe Dvorak site, meanwhile, may be offering up more clues on the attack than the other two. Invincea said it visited the site using Internet Explorer with Java and Adobe Reader and Flash plug-ins loaded into the browser and was immediately attacked. An admin for the Dvorak site posted a note that malware had been discovered in the site\u2019s wp-config.php file, which is the main configuration file for the WordPress content management system.\n\n\u201cGiven the amount of attention WordPress has received both recently and historically by miscreants seeking to hijack legitimate websites in order to drive user traffic to malware landing pages, this came as no surprise to us,\u201d Invincea security engineer Eddie Mitchell said.\n\nUpon landing on the Dvorak site, IE pulls a Java application from the attacker\u2019s site and connects to one of two malicious domains, registered to a Russian domain. The Amsecure malware is downloaded and a desktop shortcut is installed, called Internet Security 2013[.]ink.\n\nAmsecure is part of the Kazy malware family. Previous variants of the malware take over the desktop and display a warning screen indicating the computer has been infected along with a phony scanner tool that the attacker hopes will scare the user into buying the fake antivirus program.\n\nInvincea was also able to discover three exploits on the Dvorak landing page for Java and Adobe Reader: CVE-2013-0422; CVE-2009-0927; and CVE-2010-0188. These exploits lead to landing page hosting the Black Hole exploit kit and the amsecure attacks.", "published": "2013-05-07T12:58:00", "cvss": {"score": 10, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://threatpost.com/d-c-media-sites-hacked-serving-fake-av/100268/", "cvelist": ["CVE-2009-0927", "CVE-2010-0188", "CVE-2013-0422"], "lastseen": "2016-09-04T20:45:33"}, {"id": "ICEFOG-ESPIONAGE-CAMPAIGN-IS-HIT-AND-RUN-TARGETED-OPERATION/102417", "type": "threatpost", "title": "Icefog Targeted APT Attacks Hit South Korea, Japan", "description": "An espionage campaign featuring precise targeting of victims and malware that allows the attackers one-on-one interaction with compromised systems has been uncovered. Government agencies, manufacturers, high tech companies and media organizations in South Korea and Japan have been the primary targets of the campaign called Icefog, which was reported today by researchers at Kaspersky Lab.\n\nThe China-based campaign is two years old and follows the pattern of similar APT-style attacks where victims are compromised via a malicious attachment in a spear-phishing email, or are lured to a compromised website and infected with malware.\n\n![icefog_spear1_obf](https://trtpost-wpengine.netdna-ssl.com/files/2013/10/icefog_spear1_obf.png)\n\nHowever, while other APT campaigns maintain a long-term persistence inside infected networks, Icefog seems to do just the opposite. The attackers, Kaspersky researchers said, know what they need from a victim and once they have it, the target is abandoned. They\u2019re also likely a small group of hired guns, akin to mercenaries, used to attack a particular group, steal data, and get out quickly.\n\n\u201cWe\u2019ve entered the era of a growing number of these smaller, agile groups hired on a per-project basis,\u201d said Kaspersky Lab researcher Kurt Baumgartner, speaking today at the Billington Cybersecurity Summit in Washington, D.C. \u201cThe operational improvements have arrived and these polished APT groups become much better at flying under the radar.![](https://mail.google.com/mail/u/0/images/cleardot.gif)\n\n\u201cFinding a pattern in all the noise is not easy. It\u2019s becoming harder and harder to identify the patterns and connect them with a group,\u201d Baumgartner said.\n\nTo date, Kaspersky Lab\u2019s Global Research and Analysis Team has observed six variants of Icefog and has been able to sinkhole 13 domains used in the attack, capturing snapshots of the malware used and logs detailing victims and interaction with command and control servers.\n\nWindows and Mac OS X versions of Icefog have also been observed, but it appears the OS X backdoor is merely a beta trial of the malware, largely found in online Chinese bulletin boards. Meanwhile, more than 200 unique Windows-based IP addresses have connected to a Kaspersky-controlled sinkhole, a fraction of the total infections researchers said.\n\n![kurt_baumgartner](https://trtpost-wpengine.netdna-ssl.com/files/2013/09/kurt_baumgartner.jpg)\u201cThere\u2019s a team of operators that are being very selective and going after exactly what they need,\u201d said Baumgartner, right. \u201cIt\u2019s classic APT behavior. They likely have previous knowledge of the networks and targets.\u201d\n\nThose targets include defense industry contractors such as Lig Nex1 and Selectron Industrial Company, shipbuilding companies DSME Tech, Hanjin Heavy Industries, telecom operators such as Korea Telecom and media companies such as Fuji TV.\n\nIcefog not only establishes a backdoor connection to the attacker-controlled command infrastructure, but it also drops a number of tools that allow the attackers to steal certain document types and pivot within an infected company looking for more computers to infect and additional resources to steal.\n\nThe campaign also relies on exploits for vulnerabilities that have been patched in Windows or Java to establish a foothold on an endpoint. Remote code execution bugs in Windows (CVE-2012-0158 and CVE-2012-1856) spread via malicious Word or Excel files are the most common means of initiating the Icefog attack. The infected attachments promise anything from an illicit image of a woman to a document written in Japanese titled: \u201cLittle enthusiasm for regional sovereignty reform.\u201d Users are also sent links to compromised sites hosting Java exploits (CVE-2013-0422 and CVE-2012-1723).\n\nSeparate spear phishing campaigns were also spotted using HLP files\u2014older versions of Winhelp files\u2014to infect targets. Winhelp was supported natively until Windows Vista was released.\n\n\u201cMost likely, the choice to abuse Winhelp indicates that the attackers have an idea of what version operating systems they are attacking,\u201d the Kaspersky report said.[![icefog](https://trtpost-wpengine.netdna-ssl.com/files/2013/09/icefog.jpg)](<http://www.securelist.com/en/downloads/vlpdfs/icefog.pdf>)\n\nAnother spear phishing effort used HWP document files to spread Icefog; HWP is a proprietary document format used in South Korea, in particular by the government.\n\nOnce a machine is compromised, the attackers individually analyze system information and files stored on the machine and if it passes muster, the backdoor and lateral movement tools are remotely sent to the machine, including password and hash-dumping tools for saved Internet Explorer and Outlook passwords. A compression program is also sent down to compress stolen data before it\u2019s sent to the command and control server. Beyond credentials, victims are losing Windows address book files (.WAB), as well as HWP, Excel and Word files.\n\nOf the six variants, the oldest in 2011 was used in an attack against Japan\u2019s House of Representatives and House of Councilors. Six AOL email addresses were used and commands were also fetched from these accounts.\n\nThe most commonly seen Icefog variant is called Type 1 and it has all the backdoor and lateral movement capabilities described earlier, as well as giving the attackers access to execute SQL commands on SQL Servers found on the network. It\u2019s here where the term Icefog was seen in a string used in the command and control server (the C&amp;C software is named Dagger Three). The command and control script, meanwhile, provides a professional looking interface used to communicate and interact with compromised machines. It uses the native file system to store stolen data and temporary files.\n\n\u201cPerhaps the most interesting part is that the Type 1 C&amp;C panel maintains a full history of the attacker\u2019s interaction with the victims,\u201d the report said. \u201cThis is kept as an encrypted logfile, in the \u2018logs\u2019 directory on the server. In addition to that, the server maintains full interaction logs and command execution results from each victim.\u201d\n\nAnother variant was used to enhance Type 1 infections with additional encryption obfuscating communication with command servers. It was not used against victims and disappeared once a machine was rebooted.\n\nSamples for two other variants have yet to be obtained, but Kaspersky was able to sinkhole three domains used with these attacks. These two variants had only view and update capabilities.\n\n[![ips_icefog](https://trtpost-wpengine.netdna-ssl.com/files/2013/09/ips_icefog.jpg)](<https://trtpost-wpengine.netdna-ssl.com/files/2013/09/ips_icefog.jpg>)\n\nThe most recent version, Icefog-NG, doesn\u2019t communicate with a central command server and instead of using a webserver, its command and control is a Windows desktop application that works as a standalone TCP server listening on port 5600.\n\nKaspersky said it first obtained an Icefog sample in June after an attack on Fuji TV. It was able to connect the dots back to the attack on the Japanese parliament two years ago.\n\n\u201cWe predict the number of small, focused APT-for-hire groups to grow, specializing in hit-and-run operations, a kind of \u2018cyber-mercenaries\u2019 of the modern world,\u201d the report said.", "published": "2013-09-25T16:30:00", "cvss": {"score": 10, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://threatpost.com/icefog-espionage-campaign-is-hit-and-run-targeted-operation/102417/", "cvelist": ["CVE-2012-1856", "CVE-2012-0158", "CVE-2012-1723", "CVE-2013-0422"], "lastseen": "2016-09-04T20:45:58"}], "canvas": [{"id": "JAVA_MBEANINSTANTIATOR_FINDCLASS", "type": "canvas", "title": "Immunity Canvas: JAVA_MBEANINSTANTIATOR_FINDCLASS", "description": "**Name**| java_MBeanInstantiator_findClass \n---|--- \n**CVE**| CVE-2013-0422 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| java_MBeanInstantiator_findClass \n**Notes**| CVE Name: CVE-2013-0422 \nVENDOR: Sun \nNotes: \n \nAffected versions \nJDK and JRE 7 Update 10 and earlier \n \nTested on: \n\\- Windows 7 with JDK/JRE 7 update 10 \n \nTo run from command line, first start the listener (UNIVERSAL): \npython commandlineInterface.py -l 192.168.1.10 -p 5555 -v 17 \n \nAnd then run the exploit from clientd: \npython ./exploits/clientd/clientd.py -l 192.168.1.10 -d 5555 -O server_port:8080 -O allowed_attack_modules:java_MBeanInstantiator_findClass -O allowed_recon_modules:js_recon -O auto_detect_exploits:0 \n \n \nRepeatability: Infinite (client side - no crash) \nReferences: http://malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.html \nCVE Url: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0422 \nDate public: 01/10/2013 \n\n", "published": "2013-01-10T16:55:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/java_MBeanInstantiator_findClass", "cvelist": ["CVE-2013-0422"], "lastseen": "2016-09-25T14:12:14"}], "metasploit": [{"id": "MSF:EXPLOIT/MULTI/BROWSER/JAVA_JRE17_JMXBEAN", "type": "metasploit", "title": "Java Applet JMX Remote Code Execution", "description": "This module abuses the JMX classes from a Java Applet to run arbitrary Java code outside of the sandbox as exploited in the wild in January of 2013. The vulnerability affects Java version 7u10 and earlier.", "published": "2013-01-10T19:30:43", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.rapid7.com/db/modules/exploit/multi/browser/java_jre17_jmxbean", "cvelist": ["CVE-2013-0422"], "lastseen": "2017-07-24T19:23:17"}], "seebug": [{"id": "SSV-77783", "type": "seebug", "title": "Java Applet JMX Remote Code Execution", "description": "Summary: \nJava is developed by Sun Microsystems company in 1995 \u5e74 5 introduced the Java programming language and the Java platform in General.< br/>Java 7 Update 10 and earlier versions of the Oracle Java Runtime Environment\uff08JRE\uff091.7 version in the MBeanInstantiator, there is not a security vulnerability. By allowing access to the class loader does not specify the class associated with the Vector, a remote attacker exploit the vulnerability to execute arbitrary code.\n", "published": "2014-07-01T00:00:00", "cvss": {"score": 10, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.seebug.org/vuldb/ssvid-77783", "cvelist": ["CVE-2013-0422"], "lastseen": "2016-08-07T11:11:32"}], "saint": [{"id": "SAINT:E7792D5FC9067F389F8BD984BD06BD44", "type": "saint", "title": "Java MBeanInstantiator.findClass and Recursive Reflection Sandbox Escape", "description": "Added: 01/14/2013 \nCVE: [CVE-2013-0422](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0422>) \nBID: [57246](<http://www.securityfocus.com/bid/57246>) \nOSVDB: [89059](<http://www.osvdb.org/89059>) \n\n\n### Background\n\nJava is a programming language that compiles programs to bytecode, which is then executed inside a Java Virtual Machine. This is optimal for applications that must run on various hardware platforms, such as web applets. \n\n### Problem\n\nTwo vulnerabilities exist in Java versions prior to 7 Update 11. The first vulnerability allows the _findClass_ method of the _MBeanInstantiator_ class to return a Class reference to any package. However, the _MBeanInstantiator_ class constructor is private, so a reference to an instance object must be found. The _newMBeanServer_ static method will return a _JmxMBeanServer_ instance, which contains a reference to an instance of _MBeanInstantiator_. \nThe second vulnerability has to do with security checks performed when calling methods using reflection. The _Lookup_ subclass of the _MethodHandlers_ class performs security validation by calling its _checkSecurityManager_ method. The _checkSecurityManager_ method then attempts to walk the call stack by calling the _getCallerClassAtEntryPoint_ method. This method simply returns the result of the _Reflection.getCallerClass_ method. This method should skip stack frames relating to the Reflection API. However, it does not properly skip Reflection API frames, which may allow the security checks to be bypassed. \nThe combination of these two vulnerabilities may allow an attacker to execute arbitrary Java code with full privileges on the target system. \n\n### Resolution\n\nUpgrade to [Java 7 Update 11](<http://www.oracle.com/technetwork/java/javase/7u11-relnotes-1896856.html>) or later. This update does not fix the vulnerability, but it does flag all code from unknown sources. Users will be prompted to execute the Java applet, but if they choose to execute the applet, they can still be compromised. Disabling Java browser plug-ins is a more robust solution, but may impact any webapps that use Java applets. \n\n### References\n\n<http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html> \n<http://www.cbsnews.com/8301-205_162-57563846/java-7-patch-released-experts-say-may-contain-flaws/> \n<http://www.reuters.com/article/2013/01/13/us-java-oracle-security-idUSBRE90C0JB20130113> \n<http://www.bbc.co.uk/news/technology-21011669> \n\n\n### Limitations\n\nThis exploit has been tested against Oracle JRE 7 Update 10 on Windows XP SP3 English (DEP OptIn), Windows 7 SP1 (DEP OptIn), Mac OS X 10.7.5, and Ubuntu 12.04.1 LTS. \n\n### Platforms\n\nWindows \nMac OS X \nLinux \n \n\n", "published": "2013-01-14T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/java_MbeanInstantiator_findClass_recursive_reflection", "cvelist": ["CVE-2013-0422"], "lastseen": "2017-01-10T14:03:42"}, {"id": "SAINT:30B6CFDC962268E8CEAB02B936B3AA0D", "type": "saint", "title": "Java MBeanInstantiator.findClass and Recursive Reflection Sandbox Escape", "description": "Added: 01/14/2013 \nCVE: [CVE-2013-0422](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0422>) \nBID: [57246](<http://www.securityfocus.com/bid/57246>) \nOSVDB: [89059](<http://www.osvdb.org/89059>) \n\n\n### Background\n\nJava is a programming language that compiles programs to bytecode, which is then executed inside a Java Virtual Machine. This is optimal for applications that must run on various hardware platforms, such as web applets. \n\n### Problem\n\nTwo vulnerabilities exist in Java versions prior to 7 Update 11. The first vulnerability allows the _findClass_ method of the _MBeanInstantiator_ class to return a Class reference to any package. However, the _MBeanInstantiator_ class constructor is private, so a reference to an instance object must be found. The _newMBeanServer_ static method will return a _JmxMBeanServer_ instance, which contains a reference to an instance of _MBeanInstantiator_. \nThe second vulnerability has to do with security checks performed when calling methods using reflection. The _Lookup_ subclass of the _MethodHandlers_ class performs security validation by calling its _checkSecurityManager_ method. The _checkSecurityManager_ method then attempts to walk the call stack by calling the _getCallerClassAtEntryPoint_ method. This method simply returns the result of the _Reflection.getCallerClass_ method. This method should skip stack frames relating to the Reflection API. However, it does not properly skip Reflection API frames, which may allow the security checks to be bypassed. \nThe combination of these two vulnerabilities may allow an attacker to execute arbitrary Java code with full privileges on the target system. \n\n### Resolution\n\nUpgrade to [Java 7 Update 11](<http://www.oracle.com/technetwork/java/javase/7u11-relnotes-1896856.html>) or later. This update does not fix the vulnerability, but it does flag all code from unknown sources. Users will be prompted to execute the Java applet, but if they choose to execute the applet, they can still be compromised. Disabling Java browser plug-ins is a more robust solution, but may impact any webapps that use Java applets. \n\n### References\n\n<http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html> \n<http://www.cbsnews.com/8301-205_162-57563846/java-7-patch-released-experts-say-may-contain-flaws/> \n<http://www.reuters.com/article/2013/01/13/us-java-oracle-security-idUSBRE90C0JB20130113> \n<http://www.bbc.co.uk/news/technology-21011669> \n\n\n### Limitations\n\nThis exploit has been tested against Oracle JRE 7 Update 10 on Windows XP SP3 English (DEP OptIn), Windows 7 SP1 (DEP OptIn), Mac OS X 10.7.5, and Ubuntu 12.04.1 LTS. \n\n### Platforms\n\nWindows \nMac OS X \nLinux \n \n\n", "published": "2013-01-14T00:00:00", "cvss": {"score": 10, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/java_MbeanInstantiator_findClass_recursive_reflection", "cvelist": ["CVE-2013-0422"], "lastseen": "2016-12-14T16:58:07"}, {"id": "SAINT:B859AECDBB7016A3F1E3446FE83018A3", "type": "saint", "title": "Java MBeanInstantiator.findClass and Recursive Reflection Sandbox Escape", "description": "Added: 01/14/2013 \nCVE: [CVE-2013-0422](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0422>) \nBID: [57246](<http://www.securityfocus.com/bid/57246>) \nOSVDB: [89059](<http://www.osvdb.org/89059>) \n\n\n### Background\n\nJava is a programming language that compiles programs to bytecode, which is then executed inside a Java Virtual Machine. This is optimal for applications that must run on various hardware platforms, such as web applets. \n\n### Problem\n\nTwo vulnerabilities exist in Java versions prior to 7 Update 11. The first vulnerability allows the _findClass_ method of the _MBeanInstantiator_ class to return a Class reference to any package. However, the _MBeanInstantiator_ class constructor is private, so a reference to an instance object must be found. The _newMBeanServer_ static method will return a _JmxMBeanServer_ instance, which contains a reference to an instance of _MBeanInstantiator_. \nThe second vulnerability has to do with security checks performed when calling methods using reflection. The _Lookup_ subclass of the _MethodHandlers_ class performs security validation by calling its _checkSecurityManager_ method. The _checkSecurityManager_ method then attempts to walk the call stack by calling the _getCallerClassAtEntryPoint_ method. This method simply returns the result of the _Reflection.getCallerClass_ method. This method should skip stack frames relating to the Reflection API. However, it does not properly skip Reflection API frames, which may allow the security checks to be bypassed. \nThe combination of these two vulnerabilities may allow an attacker to execute arbitrary Java code with full privileges on the target system. \n\n### Resolution\n\nUpgrade to [Java 7 Update 11](<http://www.oracle.com/technetwork/java/javase/7u11-relnotes-1896856.html>) or later. This update does not fix the vulnerability, but it does flag all code from unknown sources. Users will be prompted to execute the Java applet, but if they choose to execute the applet, they can still be compromised. Disabling Java browser plug-ins is a more robust solution, but may impact any webapps that use Java applets. \n\n### References\n\n<http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html> \n<http://www.cbsnews.com/8301-205_162-57563846/java-7-patch-released-experts-say-may-contain-flaws/> \n<http://www.reuters.com/article/2013/01/13/us-java-oracle-security-idUSBRE90C0JB20130113> \n<http://www.bbc.co.uk/news/technology-21011669> \n\n\n### Limitations\n\nThis exploit has been tested against Oracle JRE 7 Update 10 on Windows XP SP3 English (DEP OptIn), Windows 7 SP1 (DEP OptIn), Mac OS X 10.7.5, and Ubuntu 12.04.1 LTS. \n\n### Platforms\n\nWindows \nMac OS X \nLinux \n \n\n", "published": "2013-01-14T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/java_MbeanInstantiator_findClass_recursive_reflection", "cvelist": ["CVE-2013-0422"], "lastseen": "2016-10-03T15:01:58"}, {"id": "SAINT:9AD9476D8EB15E21C99160959F48E5D8", "type": "saint", "title": "Java MBeanInstantiator findClass and Introspector Sandbox Escape", "description": "Added: 03/04/2013 \nCVE: [CVE-2013-0431](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0431>) \nBID: [57726](<http://www.securityfocus.com/bid/57726>) \nOSVDB: [89613](<http://www.osvdb.org/89613>) \n\n\n### Background\n\nJava is a programming language that compiles programs to bytecode, which is then executed inside a Java Virtual Machine. This is optimal for applications that must run on various hardware platforms, such as web applets. \n\n### Problem\n\nJava versions prior to 7 Update 13 are vulnerable to a sandbox security bypass due to a misuse of the java.lang.reflect.Method class by the com.sun.jmx.mbeanserver.Introspector class. When combined with the MBeanInstantiator findClass vulnerability from CVE-2013-0422, this may allow an attacker to embed malicious java applets into a webpage and have a payload of their choice execute on a victim's system while bypassing all security warnings. \n\n### Resolution\n\nApply the updates specified in the [ Oracle Java SE Critical Patch Update Advisory - February 2013](<http://www.oracle.com/technetwork/topics/security/javacpufeb2013-1841061.html>). \n\n### References\n\n<http://www.oracle.com/technetwork/topics/security/javacpufeb2013-1841061.html> \n<http://support.novell.com/security/cve/CVE-2013-0431.html> \n\n\n### Limitations\n\nThis exploit has been tested against Oracle JRE 7 Update 11 on Windows XP SP3 English (DEP OptIn) and Windows 7 SP1 (DEP OptIn). \n\n### Platforms\n\nWindows \n \n\n", "published": "2013-03-04T00:00:00", "cvss": {"score": 10, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/java_findclass_introspector_sandbox_escape", "cvelist": ["CVE-2013-0431", "CVE-2013-0422"], "lastseen": "2016-10-03T15:01:53"}, {"id": "SAINT:A4279A54731FBED2154E23C3F5839BB9", "type": "saint", "title": "Java MBeanInstantiator findClass and Introspector Sandbox Escape", "description": "Added: 03/04/2013 \nCVE: [CVE-2013-0431](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0431>) \nBID: [57726](<http://www.securityfocus.com/bid/57726>) \nOSVDB: [89613](<http://www.osvdb.org/89613>) \n\n\n### Background\n\nJava is a programming language that compiles programs to bytecode, which is then executed inside a Java Virtual Machine. This is optimal for applications that must run on various hardware platforms, such as web applets. \n\n### Problem\n\nJava versions prior to 7 Update 13 are vulnerable to a sandbox security bypass due to a misuse of the java.lang.reflect.Method class by the com.sun.jmx.mbeanserver.Introspector class. When combined with the MBeanInstantiator findClass vulnerability from CVE-2013-0422, this may allow an attacker to embed malicious java applets into a webpage and have a payload of their choice execute on a victim's system while bypassing all security warnings. \n\n### Resolution\n\nApply the updates specified in the [ Oracle Java SE Critical Patch Update Advisory - February 2013](<http://www.oracle.com/technetwork/topics/security/javacpufeb2013-1841061.html>). \n\n### References\n\n<http://www.oracle.com/technetwork/topics/security/javacpufeb2013-1841061.html> \n<http://support.novell.com/security/cve/CVE-2013-0431.html> \n\n\n### Limitations\n\nThis exploit has been tested against Oracle JRE 7 Update 11 on Windows XP SP3 English (DEP OptIn) and Windows 7 SP1 (DEP OptIn). \n\n### Platforms\n\nWindows \n \n\n", "published": "2013-03-04T00:00:00", "cvss": {"score": 10, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/java_findclass_introspector_sandbox_escape", "cvelist": ["CVE-2013-0431", "CVE-2013-0422"], "lastseen": "2017-01-10T14:03:41"}, {"id": "SAINT:ADBCEB1FB086DA5B935080CE40F6277F", "type": "saint", "title": "Java MBeanInstantiator findClass and Introspector Sandbox Escape", "description": "Added: 03/04/2013 \nCVE: [CVE-2013-0431](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0431>) \nBID: [57726](<http://www.securityfocus.com/bid/57726>) \nOSVDB: [89613](<http://www.osvdb.org/89613>) \n\n\n### Background\n\nJava is a programming language that compiles programs to bytecode, which is then executed inside a Java Virtual Machine. This is optimal for applications that must run on various hardware platforms, such as web applets. \n\n### Problem\n\nJava versions prior to 7 Update 13 are vulnerable to a sandbox security bypass due to a misuse of the java.lang.reflect.Method class by the com.sun.jmx.mbeanserver.Introspector class. When combined with the MBeanInstantiator findClass vulnerability from CVE-2013-0422, this may allow an attacker to embed malicious java applets into a webpage and have a payload of their choice execute on a victim's system while bypassing all security warnings. \n\n### Resolution\n\nApply the updates specified in the [ Oracle Java SE Critical Patch Update Advisory - February 2013](<http://www.oracle.com/technetwork/topics/security/javacpufeb2013-1841061.html>). \n\n### References\n\n<http://www.oracle.com/technetwork/topics/security/javacpufeb2013-1841061.html> \n<http://support.novell.com/security/cve/CVE-2013-0431.html> \n\n\n### Limitations\n\nThis exploit has been tested against Oracle JRE 7 Update 11 on Windows XP SP3 English (DEP OptIn) and Windows 7 SP1 (DEP OptIn). \n\n### Platforms\n\nWindows \n \n\n", "published": "2013-03-04T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/java_findclass_introspector_sandbox_escape", "cvelist": ["CVE-2013-0431", "CVE-2013-0422"], "lastseen": "2016-12-14T16:58:03"}], "exploitdb": [{"id": "EDB-ID:24045", "type": "exploitdb", "title": "Java Applet JMX Remote Code Execution", "description": "Java Applet JMX Remote Code Execution. CVE-2013-0422. Remote exploit for java platform", "published": "2013-01-11T00:00:00", "cvss": {"score": 10, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.exploit-db.com/exploits/24045/", "cvelist": ["CVE-2013-0422"], "lastseen": "2016-02-02T22:23:33"}], "nessus": [{"id": "CENTOS_RHSA-2013-0165.NASL", "type": "nessus", "title": "CentOS 5 / 6 : java-1.7.0-openjdk (CESA-2013:0165)", "description": "Updated java-1.7.0-openjdk packages that fix two security issues are now available for Red Hat Enterprise Linux 5 and 6.\n\nThe Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nThese packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Software Development Kit.\n\nTwo improper permission check issues were discovered in the reflection API in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2012-3174, CVE-2013-0422)\n\nThis erratum also upgrades the OpenJDK package to IcedTea7 2.3.4.\nRefer to the NEWS file, linked to in the References, for further information.\n\nAll users of java-1.7.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect.", "published": "2013-01-17T00:00:00", "cvss": {"score": 10, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=63581", "cvelist": ["CVE-2012-3174", "CVE-2013-0422"], "lastseen": "2016-09-26T17:24:47"}, {"id": "FEDORA_2013-0853.NASL", "type": "nessus", "title": "Fedora 18 : java-1.7.0-openjdk-1.7.0.9-2.3.4.fc18 (2013-0853)", "description": "This update fixes rhbz#895035 , which consists of a set of flaws that potentially allow arbitrary code execution (including remotely via applets).\n\nIt is strongly recommended that all Java users in Fedora immediately update to this release.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2013-01-17T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=63584", "cvelist": ["CVE-2012-3174", "CVE-2013-0422"], "lastseen": "2016-09-26T17:24:00"}, {"id": "SL_20130116_JAVA_1_7_0_OPENJDK_ON_SL5_X.NASL", "type": "nessus", "title": "Scientific Linux Security Update : java-1.7.0-openjdk on SL5.x, SL6.x i386/x86_64", "description": "Two improper permission check issues were discovered in the reflection API in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2012-3174, CVE-2013-0422)\n\nThis erratum also upgrades the OpenJDK package to IcedTea7 2.3.4.\n\nAll running instances of OpenJDK Java must be restarted for the update to take effect.", "published": "2013-01-17T00:00:00", "cvss": {"score": 10, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=63607", "cvelist": ["CVE-2012-3174", "CVE-2013-0422"], "lastseen": "2016-09-26T17:26:14"}, {"id": "ORACLE_JAVA7_UPDATE11.NASL", "type": "nessus", "title": "Oracle Java SE 7 < Update 11 Multiple Vulnerabilities", "description": "The version of Oracle (formerly Sun) Java SE or Java for Business installed on the remote host is earlier than 7 Update 11 and is, therefore, potentially affected by the following security issues :\n\n - An unspecified issue exists in the Libraries component. (CVE-2012-3174)\n\n - An error exists in the 'MBeanInstantiator.findClass' method that could allow remote, arbitrary code execution.\n (CVE-2013-0422)\n\nNote that, according the advisory, these issues apply to client deployments of Java only and can only be exploited through untrusted 'Java Web Start' applications and untrusted Java applets.", "published": "2013-01-14T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=63521", "cvelist": ["CVE-2012-3174", "CVE-2013-0422"], "lastseen": "2017-05-01T20:44:45"}, {"id": "UBUNTU_USN-1693-1.NASL", "type": "nessus", "title": "Ubuntu 12.10 : openjdk-7 vulnerabilities (USN-1693-1)", "description": "It was discovered that OpenJDK 7's security mechanism could be bypassed via Java applets. If a user were tricked into opening a malicious website, a remote attacker could exploit this to perform arbitrary code execution as the user invoking the program.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2013-01-17T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=63609", "cvelist": ["CVE-2012-3174", "CVE-2013-0422"], "lastseen": "2016-09-26T17:24:03"}, {"id": "FEDORA_2013-0888.NASL", "type": "nessus", "title": "Fedora 16 : java-1.7.0-openjdk-1.7.0.9-2.3.4.fc16 (2013-0888)", "description": "This update fixes rhbz#895035 , which consists of a set of flaws that potentially allow arbitrary code execution (including remotely via applets).\n\nIt is strongly recommended that all Java users in Fedora immediately update to this release.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2013-01-17T00:00:00", "cvss": {"score": 10, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=63586", "cvelist": ["CVE-2012-3174", "CVE-2013-0422"], "lastseen": "2016-09-26T17:26:45"}, {"id": "REDHAT-RHSA-2013-0156.NASL", "type": "nessus", "title": "RHEL 5 / 6 : java-1.7.0-oracle (RHSA-2013:0156)", "description": "Updated java-1.7.0-oracle packages that fix two security issues are now available for Red Hat Enterprise Linux 5 and 6 Supplementary.\n\nThe Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nOracle Java SE version 7 includes the Oracle Java Runtime Environment and the Oracle Java Software Development Kit.\n\nThis update fixes two vulnerabilities in the Oracle Java Runtime Environment and the Oracle Java Software Development Kit. Further information about these flaws can be found on the Oracle Security Alert page, listed in the References section. (CVE-2012-3174, CVE-2013-0422)\n\nRed Hat is aware that a public exploit for CVE-2013-0422 is available that executes code without user interaction when a user visits a malicious web page using a browser with the Oracle Java 7 web browser plug-in enabled.\n\nAll users of java-1.7.0-oracle are advised to upgrade to these updated packages, which provide Oracle Java 7 Update 11 and resolve these issues. All running instances of Oracle Java must be restarted for the update to take effect.", "published": "2013-01-15T00:00:00", "cvss": {"score": 10, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=63534", "cvelist": ["CVE-2012-3174", "CVE-2013-0422"], "lastseen": "2017-01-11T02:14:34"}, {"id": "ORACLE_JAVA7_UPDATE11_UNIX.NASL", "type": "nessus", "title": "Oracle Java SE 7 < Update 11 Multiple Vulnerabilities (Unix)", "description": "The version of Oracle (formerly Sun) Java SE or Java for Business installed on the remote host is earlier than 7 Update 11 and is, therefore, potentially affected by the following security issues :\n\n - An unspecified issue exists in the Libraries component. (CVE-2012-3174)\n\n - An error exists in the 'MBeanInstantiator.findClass' method that could allow remote, arbitrary code execution.\n (CVE-2013-0422)\n\nNote that, according the advisory, these issues apply to client deployments of Java only and can only be exploited through untrusted 'Java Web Start' applications and untrusted Java applets.", "published": "2013-02-22T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=64840", "cvelist": ["CVE-2012-3174", "CVE-2013-0422"], "lastseen": "2016-12-08T05:34:58"}, {"id": "ORACLELINUX_ELSA-2013-0165.NASL", "type": "nessus", "title": "Oracle Linux 5 / 6 : java-1.7.0-openjdk (ELSA-2013-0165)", "description": "From Red Hat Security Advisory 2013:0165 :\n\nUpdated java-1.7.0-openjdk packages that fix two security issues are now available for Red Hat Enterprise Linux 5 and 6.\n\nThe Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nThese packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Software Development Kit.\n\nTwo improper permission check issues were discovered in the reflection API in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2012-3174, CVE-2013-0422)\n\nThis erratum also upgrades the OpenJDK package to IcedTea7 2.3.4.\nRefer to the NEWS file, linked to in the References, for further information.\n\nAll users of java-1.7.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect.", "published": "2013-07-12T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=68709", "cvelist": ["CVE-2012-3174", "CVE-2013-0422"], "lastseen": "2016-09-26T17:23:57"}, {"id": "REDHAT-RHSA-2013-0165.NASL", "type": "nessus", "title": "RHEL 5 / 6 : java-1.7.0-openjdk (RHSA-2013:0165)", "description": "Updated java-1.7.0-openjdk packages that fix two security issues are now available for Red Hat Enterprise Linux 5 and 6.\n\nThe Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nThese packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Software Development Kit.\n\nTwo improper permission check issues were discovered in the reflection API in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2012-3174, CVE-2013-0422)\n\nThis erratum also upgrades the OpenJDK package to IcedTea7 2.3.4.\nRefer to the NEWS file, linked to in the References, for further information.\n\nAll users of java-1.7.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect.", "published": "2013-01-17T00:00:00", "cvss": {"score": 10, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=63590", "cvelist": ["CVE-2012-3174", "CVE-2013-0422"], "lastseen": "2017-01-06T02:16:26"}], "openvas": [{"id": "OPENVAS:803156", "type": "openvas", "title": "Oracle Java SE Multiple Remote Code Execution Vulnerabilities (Windows)", "description": "This host is installed with Oracle Java SE and is prone to multiple\n code execution vulnerabilities.", "published": "2013-01-17T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=803156", "cvelist": ["CVE-2012-3174", "CVE-2013-0422"], "lastseen": "2017-07-02T21:11:07"}, {"id": "OPENVAS:881564", "type": "openvas", "title": "CentOS Update for java CESA-2013:0165 centos6 ", "description": "Check for the Version of java", "published": "2013-01-21T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=881564", "cvelist": ["CVE-2012-3174", "CVE-2013-0422"], "lastseen": "2017-07-25T10:51:59"}, {"id": "OPENVAS:841283", "type": "openvas", "title": "Ubuntu Update for openjdk-7 USN-1693-1", "description": "Check for the Version of openjdk-7", "published": "2013-01-21T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=841283", "cvelist": ["CVE-2012-3174", "CVE-2013-0422"], "lastseen": "2017-07-25T10:51:59"}, {"id": "OPENVAS:881557", "type": "openvas", "title": "CentOS Update for java CESA-2013:0165 centos5 ", "description": "Check for the Version of java", "published": "2013-01-21T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=881557", "cvelist": ["CVE-2012-3174", "CVE-2013-0422"], "lastseen": "2017-07-25T10:51:46"}, {"id": "OPENVAS:850427", "type": "openvas", "title": "SuSE Update for java-1_7_0-openjdk openSUSE-SU-2013:0199-1 (java-1_7_0-openjdk)", "description": "Check for the Version of java-1_7_0-openjdk", "published": "2013-03-11T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=850427", "cvelist": ["CVE-2012-3174", "CVE-2013-0422"], "lastseen": "2017-07-26T08:51:35"}, {"id": "OPENVAS:865170", "type": "openvas", "title": "Fedora Update for java-1.7.0-openjdk FEDORA-2013-0853", "description": "Check for the Version of java-1.7.0-openjdk", "published": "2013-01-21T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=865170", "cvelist": ["CVE-2012-3174", "CVE-2013-0422"], "lastseen": "2017-07-25T10:51:51"}, {"id": "OPENVAS:1361412562310123748", "type": "openvas", "title": "Oracle Linux Local Check: ELSA-2013-0165", "description": "Oracle Linux Local Security Checks ELSA-2013-0165", "published": "2015-10-06T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310123748", "cvelist": ["CVE-2012-3174", "CVE-2013-0422"], "lastseen": "2017-07-24T12:52:44"}, {"id": "OPENVAS:870889", "type": "openvas", "title": "RedHat Update for java-1.7.0-openjdk RHSA-2013:0165-01", "description": "Check for the Version of java-1.7.0-openjdk", "published": "2013-01-21T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=870889", "cvelist": ["CVE-2012-3174", "CVE-2013-0422"], "lastseen": "2017-07-27T10:51:31"}, {"id": "OPENVAS:865175", "type": "openvas", "title": "Fedora Update for java-1.7.0-openjdk FEDORA-2013-0868", "description": "Check for the Version of java-1.7.0-openjdk", "published": "2013-01-21T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=865175", "cvelist": ["CVE-2012-3174", "CVE-2012-4681", "CVE-2013-0422"], "lastseen": "2017-07-25T10:52:08"}, {"id": "OPENVAS:865053", "type": "openvas", "title": "Fedora Update for java-1.7.0-openjdk FEDORA-2013-0888", "description": "Check for the Version of java-1.7.0-openjdk", "published": "2013-01-21T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=865053", "cvelist": ["CVE-2011-3557", "CVE-2011-3551", "CVE-2011-3563", "CVE-2011-3548", "CVE-2011-3547", "CVE-2012-0503", "CVE-2011-3521", "CVE-2012-3174", "CVE-2011-5035", "CVE-2011-3571", "CVE-2011-3389", "CVE-2011-3544", "CVE-2012-0506", "CVE-2011-3558", "CVE-2012-0497", "CVE-2012-0505", "CVE-2011-3554", "CVE-2012-0501", "CVE-2011-3556", "CVE-2011-3560", "CVE-2012-4681", "CVE-2011-3552", "CVE-2013-0422", "CVE-2012-0502"], "lastseen": "2017-07-25T10:51:32"}], "centos": [{"id": "CESA-2013:0165", "type": "centos", "title": "java security update", "description": "**CentOS Errata and Security Advisory** CESA-2013:0165\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2013-January/019203.html\nhttp://lists.centos.org/pipermail/centos-announce/2013-January/019204.html\n\n**Affected packages:**\njava-1.7.0-openjdk\njava-1.7.0-openjdk-demo\njava-1.7.0-openjdk-devel\njava-1.7.0-openjdk-javadoc\njava-1.7.0-openjdk-src\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2013-0165.html", "published": "2013-01-16T20:29:20", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.centos.org/pipermail/centos-announce/2013-January/019203.html", "cvelist": ["CVE-2012-3174", "CVE-2013-0422"], "lastseen": "2016-12-05T20:02:24"}], "redhat": [{"id": "RHSA-2013:0156", "type": "redhat", "title": "(RHSA-2013:0156) Critical: java-1.7.0-oracle security update", "description": "Oracle Java SE version 7 includes the Oracle Java Runtime Environment and\nthe Oracle Java Software Development Kit.\n\nThis update fixes two vulnerabilities in the Oracle Java Runtime\nEnvironment and the Oracle Java Software Development Kit. Further\ninformation about these flaws can be found on the Oracle Security Alert\npage, listed in the References section. (CVE-2012-3174, CVE-2013-0422)\n\nRed Hat is aware that a public exploit for CVE-2013-0422 is available that\nexecutes code without user interaction when a user visits a malicious web\npage using a browser with the Oracle Java 7 web browser plug-in enabled.\n\nAll users of java-1.7.0-oracle are advised to upgrade to these updated\npackages, which provide Oracle Java 7 Update 11 and resolve these issues.\nAll running instances of Oracle Java must be restarted for the update to\ntake effect.\n", "published": "2013-01-14T05:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2013:0156", "cvelist": ["CVE-2012-3174", "CVE-2013-0422"], "lastseen": "2017-07-28T08:57:49"}, {"id": "RHSA-2013:0165", "type": "redhat", "title": "(RHSA-2013:0165) Important: java-1.7.0-openjdk security update", "description": "These packages provide the OpenJDK 7 Java Runtime Environment and the\nOpenJDK 7 Software Development Kit.\n\nTwo improper permission check issues were discovered in the reflection API\nin OpenJDK. An untrusted Java application or applet could use these flaws\nto bypass Java sandbox restrictions. (CVE-2012-3174, CVE-2013-0422)\n\nThis erratum also upgrades the OpenJDK package to IcedTea7 2.3.4. Refer to\nthe NEWS file, linked to in the References, for further information.\n\nAll users of java-1.7.0-openjdk are advised to upgrade to these updated\npackages, which resolve these issues. All running instances of OpenJDK Java\nmust be restarted for the update to take effect.\n", "published": "2013-01-16T05:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2013:0165", "cvelist": ["CVE-2012-3174", "CVE-2013-0422"], "lastseen": "2017-08-02T12:57:33"}, {"id": "RHSA-2013:0626", "type": "redhat", "title": "(RHSA-2013:0626) Critical: java-1.7.0-ibm security update", "description": "IBM Java SE version 7 includes the IBM Java Runtime Environment and the IBM\nJava Software Development Kit.\n\nThis update fixes several vulnerabilities in the IBM Java Runtime\nEnvironment and the IBM Java Software Development Kit. Detailed\nvulnerability descriptions are linked from the IBM Security alerts page,\nlisted in the References section. (CVE-2012-1541, CVE-2012-3174,\nCVE-2012-3213, CVE-2012-3342, CVE-2013-0351, CVE-2013-0409, CVE-2013-0419,\nCVE-2013-0422, CVE-2013-0423, CVE-2013-0424, CVE-2013-0425, CVE-2013-0426,\nCVE-2013-0427, CVE-2013-0428, CVE-2013-0431, CVE-2013-0432, CVE-2013-0433,\nCVE-2013-0434, CVE-2013-0435, CVE-2013-0437, CVE-2013-0438, CVE-2013-0440,\nCVE-2013-0441, CVE-2013-0442, CVE-2013-0443, CVE-2013-0444, CVE-2013-0445,\nCVE-2013-0446, CVE-2013-0449, CVE-2013-0450, CVE-2013-0809, CVE-2013-1473,\nCVE-2013-1476, CVE-2013-1478, CVE-2013-1480, CVE-2013-1484, CVE-2013-1485,\nCVE-2013-1486, CVE-2013-1487, CVE-2013-1493)\n\nAll users of java-1.7.0-ibm are advised to upgrade to these updated\npackages, containing the IBM Java SE 7 SR4 release. All running instances\nof IBM Java must be restarted for the update to take effect.\n", "published": "2013-03-11T04:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2013:0626", "cvelist": ["CVE-2012-1541", "CVE-2012-3174", "CVE-2012-3213", "CVE-2012-3342", "CVE-2012-5085", "CVE-2013-0351", "CVE-2013-0409", "CVE-2013-0419", "CVE-2013-0422", "CVE-2013-0423", "CVE-2013-0424", "CVE-2013-0425", "CVE-2013-0426", "CVE-2013-0427", "CVE-2013-0428", "CVE-2013-0431", "CVE-2013-0432", "CVE-2013-0433", "CVE-2013-0434", "CVE-2013-0435", "CVE-2013-0437", "CVE-2013-0438", "CVE-2013-0440", "CVE-2013-0441", "CVE-2013-0442", "CVE-2013-0443", "CVE-2013-0444", "CVE-2013-0445", "CVE-2013-0446", "CVE-2013-0449", "CVE-2013-0450", "CVE-2013-0809", "CVE-2013-1473", "CVE-2013-1476", "CVE-2013-1478", "CVE-2013-1480", "CVE-2013-1484", "CVE-2013-1485", "CVE-2013-1486", "CVE-2013-1487", "CVE-2013-1493"], "lastseen": "2017-07-28T18:57:28"}], "ubuntu": [{"id": "USN-1693-1", "type": "ubuntu", "title": "OpenJDK 7 vulnerabilities", "description": "It was discovered that OpenJDK 7's security mechanism could be bypassed via \nJava applets. If a user were tricked into opening a malicious website, a \nremote attacker could exploit this to perform arbitrary code execution as \nthe user invoking the program.", "published": "2013-01-16T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://usn.ubuntu.com/usn/usn-1693-1/", "cvelist": ["CVE-2012-3174", "CVE-2013-0422"], "lastseen": "2017-08-09T19:13:22"}], "suse": [{"id": "OPENSUSE-SU-2013:0199-1", "type": "suse", "title": "java-1_7_0-openjdk: update to icedtea-2.3.4 (critical)", "description": "java-1_7_0-openjdk was updated to icedtea-2.3.4 fixing bugs\n and also severe security issues:\n\n * Security fixes\n - S8004933, CVE-2012-3174: Improve MethodHandle\n interaction with libraries\n - S8006017, CVE-2013-0422: Improve lookup resolutions\n - S8006125: Update MethodHandles library interactions\n\n * Bug fixes\n - S7197906: BlockOffsetArray::power_to_cards_back() needs\n to handle &amp;gt; 32 bit shifts\n - G422525: Fix building with PaX enabled kernels.\n - use gpg-offline to check the validity of icedtea tarball\n\n - use jamvm on %arm\n - use icedtea package name instead of protected openjdk for\n jamvm builds\n - fix armv5 build\n\n - update to java access bridge 1.26.2\n * bugfix release, mainly 64bit JNI and JVM support\n\n - fix a segfault in AWT code - (bnc#792951)\n * add openjdk-7-src-b147-awt-crasher.patch\n - turn pulseaudio off on pre 11.4 distros\n\n", "published": "2013-01-25T14:04:23", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2013-01/msg00025.html", "cvelist": ["CVE-2012-3174", "CVE-2013-0422"], "lastseen": "2016-09-04T12:15:22"}, {"id": "SUSE-SU-2013:0440-1", "type": "suse", "title": "Security update for Java (important)", "description": "IBM Java 7 was updated to SR4, fixing various critical\n security issues and bugs.\n\n Please see the IBM JDK Alert page for more information:\n\n <a rel=\"nofollow\" href=\"http://www.ibm.com/developerworks/java/jdk/alerts/\">http://www.ibm.com/developerworks/java/jdk/alerts/</a>\n &lt;<a rel=\"nofollow\" href=\"http://www.ibm.com/developerworks/java/jdk/alerts/\">http://www.ibm.com/developerworks/java/jdk/alerts/</a>&gt;\n\n Security issues fixed:\n\n CVE-2013-1487, CVE-2013-1486, CVE-2013-1478, CVE-2013-0445,\n CVE-2013-1480, CVE-2013-0441, CVE-2013-1476,\n CVE-2012-1541, CVE-2013-0446, CVE-2012-3342,\n CVE-2013-0442, CVE-2013-0450, CVE-2013-0425, CVE-2013-0426,\n CVE-2013-0428, CVE-2012-3213, CVE-2013-0419,\n CVE-2013-0423, CVE-2013-0351, CVE-2013-0432,\n CVE-2013-1473, CVE-2013-0435, CVE-2013-0434, CVE-2013-0409,\n CVE-2013-0427, CVE-2013-0433, CVE-2013-0424,\n CVE-2013-0440, CVE-2013-0438, CVE-2013-0443,\n CVE-2013-1484, CVE-2013-1485, CVE-2013-0437, CVE-2013-0444,\n CVE-2013-0449, CVE-2013-0431, CVE-2013-0422, CVE-2012-3174.\n\n", "published": "2013-03-13T00:05:30", "cvss": {"score": 10, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2013-03/msg00013.html", "cvelist": ["CVE-2013-0426", "CVE-2012-1541", "CVE-2013-0427", "CVE-2013-1478", "CVE-2013-0428", "CVE-2013-1485", "CVE-2013-0435", "CVE-2013-0442", "CVE-2012-3342", "CVE-2013-0431", "CVE-2013-1473", "CVE-2013-0434", "CVE-2013-0443", "CVE-2012-3174", "CVE-2013-0351", "CVE-2013-0444", "CVE-2013-0433", "CVE-2013-1480", "CVE-2013-0409", "CVE-2013-0438", "CVE-2013-1486", "CVE-2013-1476", "CVE-2013-1487", "CVE-2013-0445", "CVE-2013-0432", "CVE-2013-0424", "CVE-2012-3213", "CVE-2013-0450", "CVE-2013-0446", "CVE-2013-0440", "CVE-2013-0437", "CVE-2013-0425", "CVE-2013-1484", "CVE-2013-0422", "CVE-2013-0441", "CVE-2013-0449", "CVE-2013-0423", "CVE-2013-0419"], "lastseen": "2016-09-04T12:25:42"}], "oraclelinux": [{"id": "ELSA-2013-0165", "type": "oraclelinux", "title": "java-1.7.0-openjdk security update", "description": "[1.7.0.9-2.3.4.1.0.1.el6_3]\n- Update DISTRO_NAME in specfile\n[1.7.0.9-2.3.4.1.el6]\n- Rewerted to IcedTea 2.3.4\n - rewerted patch105: java-1.7.0-openjdk-disable-system-lcms.patch\n - removed jxmd and idlj to alternatives\n - make NOT executed with DISABLE_INTREE_EC=true and UNLIMITED_CRYPTO=true\n - re-applied patch302 and restored systemtap.patch\n - buildver set to 9\n - icedtea_version set to 2.3.4\n - unapplied patch112 java-1.7.openjdk-doNotUseDisabledEcc.patch\n - restored tmp-patches source tarball\n - removed /lib/security/US_export_policy.jar and lib/security/local_policy.jar\n - java-1.7.0-openjdk-java-access-bridge-security.patch's path moved from\n java.security-linux back to java.security\n- Resolves: rhbz#895033\n[1.7.0.11-2.4.0.1.el6]\n- Rewritten patch105: java-1.7.0-openjdk-disable-system-lcms.patch\n- Added jxmd and idlj to alternatives\n- make executed with DISABLE_INTREE_EC=true and UNLIMITED_CRYPTO=true\n- Unapplied patch302 and deleted systemtap.patch\n- buildver increased to 11\n- icedtea_version set to 2.4.0\n- Added and applied patch112 java-1.7.openjdk-doNotUseDisabledEcc.patch\n- removed tmp-patches source tarball\n- Added /lib/security/US_export_policy.jar and lib/security/local_policy.jar\n- Resolves: rhbz#895033", "published": "2013-01-16T00:00:00", "cvss": {"score": 10, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://linux.oracle.com/errata/ELSA-2013-0165.html", "cvelist": ["CVE-2012-3174", "CVE-2013-0422"], "lastseen": "2016-09-04T11:16:27"}], "gentoo": [{"id": "GLSA-201401-30", "type": "gentoo", "title": "Oracle JRE/JDK: Multiple vulnerabilities", "description": "### Background\n\nThe Oracle Java Development Kit (JDK) (formerly known as Sun JDK) and the Oracle Java Runtime Environment (JRE) (formerly known as Sun JRE) provide the Oracle Java platform (formerly known as Sun Java Platform). \n\n### Description\n\nMultiple vulnerabilities have been reported in the Oracle Java implementation. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nAn unauthenticated, remote attacker could exploit these vulnerabilities to execute arbitrary code. Furthermore, a local or remote attacker could exploit these vulnerabilities to cause unspecified impact, possibly including remote execution of arbitrary code. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll Oracle JDK 1.7 users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose\n \">=dev-java/oracle-jdk-bin-1.7.0.51\"\n \n\nAll Oracle JRE 1.7 users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose\n \">=dev-java/oracle-jre-bin-1.7.0.51\"\n \n\nAll users of the precompiled 32-bit Oracle JRE should upgrade to the latest version: \n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose\n \">=app-emulation/emul-linux-x86-java-1.7.0.51\"\n \n\nAll Sun Microsystems JDK/JRE 1.6 users are suggested to upgrade to one of the newer Oracle packages like dev-java/oracle-jdk-bin or dev-java/oracle-jre-bin or choose another alternative we provide; eg. the IBM JDK/JRE or the open source IcedTea. \n\nNOTE: As Oracle has revoked the DLJ license for its Java implementation, the packages can no longer be updated automatically.", "published": "2014-01-27T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://security.gentoo.org/glsa/201401-30", "cvelist": ["CVE-2013-2418", "CVE-2012-5089", "CVE-2013-2431", "CVE-2013-2468", "CVE-2013-2420", "CVE-2013-5889", "CVE-2013-2384", "CVE-2013-2415", "CVE-2013-5848", "CVE-2012-1711", "CVE-2013-1491", "CVE-2013-1571", "CVE-2013-5782", "CVE-2013-5846", "CVE-2012-1541", "CVE-2013-2417", "CVE-2013-0402", "CVE-2013-5818", "CVE-2013-2433", "CVE-2013-1500", "CVE-2013-2448", "CVE-2013-2416", "CVE-2013-2427", "CVE-2013-0401", "CVE-2012-5074", "CVE-2012-5073", "CVE-2012-1725", "CVE-2014-0385", "CVE-2013-2424", "CVE-2013-5878", "CVE-2013-5850", "CVE-2013-2407", "CVE-2012-1533", "CVE-2013-5778", "CVE-2013-2456", "CVE-2013-0448", "CVE-2014-0410", "CVE-2013-2436", "CVE-2013-2454", "CVE-2013-2470", "CVE-2013-1485", "CVE-2013-1479", "CVE-2013-2462", "CVE-2013-0169", "CVE-2014-0415", "CVE-2013-2414", "CVE-2012-1719", "CVE-2013-2394", "CVE-2011-3563", "CVE-2013-5870", "CVE-2013-2421", "CVE-2012-3159", "CVE-2013-1518", "CVE-2013-5776", "CVE-2012-5087", "CVE-2013-5788", "CVE-2013-5905", "CVE-2013-0809", "CVE-2013-5904", "CVE-2013-5888", "CVE-2013-2452", "CVE-2012-3342", "CVE-2013-2451", "CVE-2013-5893", "CVE-2013-5842", "CVE-2014-0387", "CVE-2012-5085", "CVE-2012-5076", "CVE-2013-5810", "CVE-2013-5830", "CVE-2013-2473", "CVE-2012-5079", "CVE-2012-4416", "CVE-2013-5898", "CVE-2012-0507", "CVE-2012-5075", "CVE-2013-1473", "CVE-2013-5832", "CVE-2012-3136", "CVE-2013-1488", "CVE-2013-5784", "CVE-2013-5809", "CVE-2013-5802", "CVE-2013-5851", "CVE-2014-0375", "CVE-2012-5081", "CVE-2012-5067", "CVE-2013-5817", "CVE-2012-0503", "CVE-2012-3174", "CVE-2011-5035", "CVE-2013-2419", "CVE-2012-1723", "CVE-2013-2463", "CVE-2013-1563", "CVE-2013-2469", "CVE-2013-5787", "CVE-2013-5852", "CVE-2012-1726", "CVE-2014-0418", "CVE-2013-0351", "CVE-2013-2465", "CVE-2014-0373", "CVE-2013-1537", "CVE-2013-3743", "CVE-2013-5854", "CVE-2012-0498", "CVE-2013-5806", "CVE-2013-5805", "CVE-2013-5887", "CVE-2012-0506", "CVE-2014-0408", "CVE-2013-5825", "CVE-2012-1717", "CVE-2012-1721", "CVE-2014-0376", "CVE-2013-2423", "CVE-2014-0422", "CVE-2013-5789", "CVE-2014-0411", "CVE-2013-2439", "CVE-2013-1561", "CVE-2013-5823", "CVE-2013-0409", "CVE-2013-5895", "CVE-2013-0438", "CVE-2012-1713", "CVE-2013-2461", "CVE-2012-1716", "CVE-2013-2428", "CVE-2012-5083", "CVE-2013-5843", "CVE-2012-5088", "CVE-2013-5899", "CVE-2013-2429", "CVE-2013-5812", "CVE-2013-5849", "CVE-2012-5086", "CVE-2013-5896", "CVE-2013-2471", "CVE-2012-0497", "CVE-2012-1532", "CVE-2012-5077", "CVE-2013-1486", "CVE-2014-0417", "CVE-2013-5780", "CVE-2013-5910", "CVE-2013-1487", "CVE-2013-5906", "CVE-2013-0430", "CVE-2013-0445", "CVE-2012-5069", "CVE-2014-0428", "CVE-2012-3216", "CVE-2014-0382", "CVE-2012-0505", "CVE-2013-5824", "CVE-2012-5084", "CVE-2013-5831", "CVE-2012-1718", "CVE-2013-2440", "CVE-2013-2434", "CVE-2013-2464", "CVE-2013-2458", "CVE-2012-3213", "CVE-2013-2459", "CVE-2012-5071", "CVE-2013-5814", "CVE-2013-2442", "CVE-2012-0499", "CVE-2012-0501", "CVE-2013-0446", "CVE-2013-2432", "CVE-2012-1722", "CVE-2014-0368", "CVE-2013-2443", "CVE-2014-0423", "CVE-2013-1481", "CVE-2013-5775", "CVE-2013-2446", "CVE-2012-0547", "CVE-2013-5829", "CVE-2013-5803", "CVE-2012-5072", "CVE-2013-2450", "CVE-2013-2400", "CVE-2013-2472", "CVE-2013-2438", "CVE-2013-1540", "CVE-2012-0500", "CVE-2013-2467", "CVE-2013-5907", "CVE-2013-1493", "CVE-2013-5902", "CVE-2012-1531", "CVE-2013-2444", "CVE-2013-3744", "CVE-2013-2447", "CVE-2013-2457", "CVE-2013-5844", "CVE-2013-0437", "CVE-2012-4681", "CVE-2013-2437", "CVE-2013-2453", "CVE-2013-1557", "CVE-2012-0504", "CVE-2013-2426", "CVE-2014-0424", "CVE-2013-2455", "CVE-2013-5819", "CVE-2013-2422", "CVE-2013-2435", "CVE-2013-2383", "CVE-2013-1484", "CVE-2013-1564", "CVE-2013-1558", "CVE-2013-5774", "CVE-2012-1724", "CVE-2013-0422", "CVE-2012-5068", "CVE-2014-0403", "CVE-2013-3829", "CVE-2012-1682", "CVE-2012-3143", "CVE-2012-0502", "CVE-2013-5783", "CVE-2013-5800", "CVE-2013-5820", "CVE-2013-2425", "CVE-2013-5777", "CVE-2013-5790", "CVE-2013-1569", "CVE-2013-5838", "CVE-2013-2412", "CVE-2013-0449", "CVE-2013-2445", "CVE-2013-2430", "CVE-2013-2460", "CVE-2013-5840", "CVE-2013-5801", "CVE-2014-0416", "CVE-2013-2449", "CVE-2013-2466", "CVE-2012-5070", "CVE-2013-5797", "CVE-2013-5804", "CVE-2013-0423", "CVE-2013-5772", "CVE-2013-0419"], "lastseen": "2016-09-06T19:46:14"}]}}